1 /* 2 * Copyright 2011 Tresys Technology, LLC. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * 1. Redistributions of source code must retain the above copyright notice, 8 * this list of conditions and the following disclaimer. 9 * 10 * 2. Redistributions in binary form must reproduce the above copyright notice, 11 * this list of conditions and the following disclaimer in the documentation 12 * and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY EXPRESS 15 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 16 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 17 * EVENT SHALL TRESYS TECHNOLOGY, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 18 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 19 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 21 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE 22 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 23 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * 25 * The views and conclusions contained in the software and documentation are those 26 * of the authors and should not be interpreted as representing official policies, 27 * either expressed or implied, of Tresys Technology, LLC. 28 */ 29 30 #ifndef CIL_INTERNAL_H_ 31 #define CIL_INTERNAL_H_ 32 33 #include <stdlib.h> 34 #include <stdio.h> 35 #include <stdint.h> 36 #include <arpa/inet.h> 37 38 #include <sepol/policydb/services.h> 39 #include <sepol/policydb/policydb.h> 40 #include <sepol/policydb/flask_types.h> 41 42 #include <cil/cil.h> 43 44 #include "cil_flavor.h" 45 #include "cil_tree.h" 46 #include "cil_symtab.h" 47 #include "cil_mem.h" 48 49 #define CIL_MAX_NAME_LENGTH 2048 50 51 #define CIL_DEGENERATE_INHERITANCE_DEPTH 10UL 52 #define CIL_DEGENERATE_INHERITANCE_MINIMUM (0x01 << CIL_DEGENERATE_INHERITANCE_DEPTH) 53 #define CIL_DEGENERATE_INHERITANCE_GROWTH 10UL 54 55 enum cil_pass { 56 CIL_PASS_INIT = 0, 57 58 CIL_PASS_TIF, 59 CIL_PASS_IN_BEFORE, 60 CIL_PASS_BLKIN_LINK, 61 CIL_PASS_BLKIN_COPY, 62 CIL_PASS_BLKABS, 63 CIL_PASS_IN_AFTER, 64 CIL_PASS_CALL1, 65 CIL_PASS_CALL2, 66 CIL_PASS_ALIAS1, 67 CIL_PASS_ALIAS2, 68 CIL_PASS_MISC1, 69 CIL_PASS_MLS, 70 CIL_PASS_MISC2, 71 CIL_PASS_MISC3, 72 73 CIL_PASS_NUM 74 }; 75 76 77 /* 78 Keywords 79 */ 80 extern char *CIL_KEY_CONS_T1; 81 extern char *CIL_KEY_CONS_T2; 82 extern char *CIL_KEY_CONS_T3; 83 extern char *CIL_KEY_CONS_R1; 84 extern char *CIL_KEY_CONS_R2; 85 extern char *CIL_KEY_CONS_R3; 86 extern char *CIL_KEY_CONS_U1; 87 extern char *CIL_KEY_CONS_U2; 88 extern char *CIL_KEY_CONS_U3; 89 extern char *CIL_KEY_CONS_L1; 90 extern char *CIL_KEY_CONS_L2; 91 extern char *CIL_KEY_CONS_H1; 92 extern char *CIL_KEY_CONS_H2; 93 extern char *CIL_KEY_AND; 94 extern char *CIL_KEY_OR; 95 extern char *CIL_KEY_NOT; 96 extern char *CIL_KEY_EQ; 97 extern char *CIL_KEY_NEQ; 98 extern char *CIL_KEY_CONS_DOM; 99 extern char *CIL_KEY_CONS_DOMBY; 100 extern char *CIL_KEY_CONS_INCOMP; 101 extern char *CIL_KEY_CONDTRUE; 102 extern char *CIL_KEY_CONDFALSE; 103 extern char *CIL_KEY_SELF; 104 extern char *CIL_KEY_NOTSELF; 105 extern char *CIL_KEY_OTHER; 106 extern char *CIL_KEY_OBJECT_R; 107 extern char *CIL_KEY_STAR; 108 extern char *CIL_KEY_TCP; 109 extern char *CIL_KEY_UDP; 110 extern char *CIL_KEY_DCCP; 111 extern char *CIL_KEY_SCTP; 112 extern char *CIL_KEY_AUDITALLOW; 113 extern char *CIL_KEY_TUNABLEIF; 114 extern char *CIL_KEY_ALLOW; 115 extern char *CIL_KEY_DONTAUDIT; 116 extern char *CIL_KEY_TYPETRANSITION; 117 extern char *CIL_KEY_TYPECHANGE; 118 extern char *CIL_KEY_CALL; 119 extern char *CIL_KEY_TUNABLE; 120 extern char *CIL_KEY_XOR; 121 extern char *CIL_KEY_ALL; 122 extern char *CIL_KEY_RANGE; 123 extern char *CIL_KEY_GLOB; 124 extern char *CIL_KEY_FILE; 125 extern char *CIL_KEY_DIR; 126 extern char *CIL_KEY_CHAR; 127 extern char *CIL_KEY_BLOCK; 128 extern char *CIL_KEY_SOCKET; 129 extern char *CIL_KEY_PIPE; 130 extern char *CIL_KEY_SYMLINK; 131 extern char *CIL_KEY_ANY; 132 extern char *CIL_KEY_XATTR; 133 extern char *CIL_KEY_TASK; 134 extern char *CIL_KEY_TRANS; 135 extern char *CIL_KEY_TYPE; 136 extern char *CIL_KEY_ROLE; 137 extern char *CIL_KEY_USER; 138 extern char *CIL_KEY_USERATTRIBUTE; 139 extern char *CIL_KEY_USERATTRIBUTESET; 140 extern char *CIL_KEY_SENSITIVITY; 141 extern char *CIL_KEY_CATEGORY; 142 extern char *CIL_KEY_CATSET; 143 extern char *CIL_KEY_LEVEL; 144 extern char *CIL_KEY_LEVELRANGE; 145 extern char *CIL_KEY_CLASS; 146 extern char *CIL_KEY_IPADDR; 147 extern char *CIL_KEY_MAP_CLASS; 148 extern char *CIL_KEY_CLASSPERMISSION; 149 extern char *CIL_KEY_BOOL; 150 extern char *CIL_KEY_STRING; 151 extern char *CIL_KEY_NAME; 152 extern char *CIL_KEY_SOURCE; 153 extern char *CIL_KEY_TARGET; 154 extern char *CIL_KEY_LOW; 155 extern char *CIL_KEY_HIGH; 156 extern char *CIL_KEY_LOW_HIGH; 157 extern char *CIL_KEY_GLBLUB; 158 extern char *CIL_KEY_HANDLEUNKNOWN; 159 extern char *CIL_KEY_HANDLEUNKNOWN_ALLOW; 160 extern char *CIL_KEY_HANDLEUNKNOWN_DENY; 161 extern char *CIL_KEY_HANDLEUNKNOWN_REJECT; 162 extern char *CIL_KEY_MACRO; 163 extern char *CIL_KEY_IN; 164 extern char *CIL_KEY_IN_BEFORE; 165 extern char *CIL_KEY_IN_AFTER; 166 extern char *CIL_KEY_MLS; 167 extern char *CIL_KEY_DEFAULTRANGE; 168 extern char *CIL_KEY_BLOCKINHERIT; 169 extern char *CIL_KEY_BLOCKABSTRACT; 170 extern char *CIL_KEY_CLASSORDER; 171 extern char *CIL_KEY_CLASSMAPPING; 172 extern char *CIL_KEY_CLASSPERMISSIONSET; 173 extern char *CIL_KEY_COMMON; 174 extern char *CIL_KEY_CLASSCOMMON; 175 extern char *CIL_KEY_SID; 176 extern char *CIL_KEY_SIDCONTEXT; 177 extern char *CIL_KEY_SIDORDER; 178 extern char *CIL_KEY_USERLEVEL; 179 extern char *CIL_KEY_USERRANGE; 180 extern char *CIL_KEY_USERBOUNDS; 181 extern char *CIL_KEY_USERPREFIX; 182 extern char *CIL_KEY_SELINUXUSER; 183 extern char *CIL_KEY_SELINUXUSERDEFAULT; 184 extern char *CIL_KEY_TYPEATTRIBUTE; 185 extern char *CIL_KEY_TYPEATTRIBUTESET; 186 extern char *CIL_KEY_EXPANDTYPEATTRIBUTE; 187 extern char *CIL_KEY_TYPEALIAS; 188 extern char *CIL_KEY_TYPEALIASACTUAL; 189 extern char *CIL_KEY_TYPEBOUNDS; 190 extern char *CIL_KEY_TYPEPERMISSIVE; 191 extern char *CIL_KEY_RANGETRANSITION; 192 extern char *CIL_KEY_USERROLE; 193 extern char *CIL_KEY_ROLETYPE; 194 extern char *CIL_KEY_ROLETRANSITION; 195 extern char *CIL_KEY_ROLEALLOW; 196 extern char *CIL_KEY_ROLEATTRIBUTE; 197 extern char *CIL_KEY_ROLEATTRIBUTESET; 198 extern char *CIL_KEY_ROLEBOUNDS; 199 extern char *CIL_KEY_BOOLEANIF; 200 extern char *CIL_KEY_NEVERALLOW; 201 extern char *CIL_KEY_TYPEMEMBER; 202 extern char *CIL_KEY_SENSALIAS; 203 extern char *CIL_KEY_SENSALIASACTUAL; 204 extern char *CIL_KEY_CATALIAS; 205 extern char *CIL_KEY_CATALIASACTUAL; 206 extern char *CIL_KEY_CATORDER; 207 extern char *CIL_KEY_SENSITIVITYORDER; 208 extern char *CIL_KEY_SENSCAT; 209 extern char *CIL_KEY_CONSTRAIN; 210 extern char *CIL_KEY_MLSCONSTRAIN; 211 extern char *CIL_KEY_VALIDATETRANS; 212 extern char *CIL_KEY_MLSVALIDATETRANS; 213 extern char *CIL_KEY_CONTEXT; 214 extern char *CIL_KEY_FILECON; 215 extern char *CIL_KEY_IBPKEYCON; 216 extern char *CIL_KEY_IBENDPORTCON; 217 extern char *CIL_KEY_PORTCON; 218 extern char *CIL_KEY_NODECON; 219 extern char *CIL_KEY_GENFSCON; 220 extern char *CIL_KEY_NETIFCON; 221 extern char *CIL_KEY_PIRQCON; 222 extern char *CIL_KEY_IOMEMCON; 223 extern char *CIL_KEY_IOPORTCON; 224 extern char *CIL_KEY_PCIDEVICECON; 225 extern char *CIL_KEY_DEVICETREECON; 226 extern char *CIL_KEY_FSUSE; 227 extern char *CIL_KEY_POLICYCAP; 228 extern char *CIL_KEY_OPTIONAL; 229 extern char *CIL_KEY_DEFAULTUSER; 230 extern char *CIL_KEY_DEFAULTROLE; 231 extern char *CIL_KEY_DEFAULTTYPE; 232 extern char *CIL_KEY_ROOT; 233 extern char *CIL_KEY_NODE; 234 extern char *CIL_KEY_PERM; 235 extern char *CIL_KEY_ALLOWX; 236 extern char *CIL_KEY_AUDITALLOWX; 237 extern char *CIL_KEY_DONTAUDITX; 238 extern char *CIL_KEY_NEVERALLOWX; 239 extern char *CIL_KEY_PERMISSIONX; 240 extern char *CIL_KEY_IOCTL; 241 extern char *CIL_KEY_NLMSG; 242 extern char *CIL_KEY_UNORDERED; 243 extern char *CIL_KEY_SRC_INFO; 244 extern char *CIL_KEY_SRC_CIL; 245 extern char *CIL_KEY_SRC_HLL_LMS; 246 extern char *CIL_KEY_SRC_HLL_LMX; 247 extern char *CIL_KEY_SRC_HLL_LME; 248 extern char *CIL_KEY_DENY_RULE; 249 250 /* 251 Symbol Table Array Indices 252 */ 253 enum cil_sym_index { 254 CIL_SYM_BLOCKS = 0, 255 CIL_SYM_USERS, 256 CIL_SYM_ROLES, 257 CIL_SYM_TYPES, 258 CIL_SYM_COMMONS, 259 CIL_SYM_CLASSES, 260 CIL_SYM_CLASSPERMSETS, 261 CIL_SYM_BOOLS, 262 CIL_SYM_TUNABLES, 263 CIL_SYM_SENS, 264 CIL_SYM_CATS, 265 CIL_SYM_SIDS, 266 CIL_SYM_CONTEXTS, 267 CIL_SYM_LEVELS, 268 CIL_SYM_LEVELRANGES, 269 CIL_SYM_POLICYCAPS, 270 CIL_SYM_IPADDRS, 271 CIL_SYM_STRINGS, 272 CIL_SYM_PERMX, 273 CIL_SYM_NUM, 274 CIL_SYM_UNKNOWN, 275 CIL_SYM_PERMS // Special case for permissions. This symtab is not included in arrays 276 }; 277 278 enum cil_sym_array { 279 CIL_SYM_ARRAY_ROOT = 0, 280 CIL_SYM_ARRAY_BLOCK, 281 CIL_SYM_ARRAY_IN, 282 CIL_SYM_ARRAY_MACRO, 283 CIL_SYM_ARRAY_CONDBLOCK, 284 CIL_SYM_ARRAY_NUM 285 }; 286 287 extern const int cil_sym_sizes[CIL_SYM_ARRAY_NUM][CIL_SYM_NUM]; 288 289 #define CIL_CLASS_SYM_SIZE 256 290 #define CIL_PERMS_PER_CLASS (sizeof(sepol_access_vector_t) * 8) 291 292 struct cil_db { 293 struct cil_tree *parse; 294 struct cil_tree *ast; 295 struct cil_type *selftype; 296 struct cil_type *notselftype; 297 struct cil_type *othertype; 298 struct cil_list *sidorder; 299 struct cil_list *classorder; 300 struct cil_list *catorder; 301 struct cil_list *sensitivityorder; 302 struct cil_sort *netifcon; 303 struct cil_sort *genfscon; 304 struct cil_sort *filecon; 305 struct cil_sort *nodecon; 306 struct cil_sort *ibpkeycon; 307 struct cil_sort *ibendportcon; 308 struct cil_sort *portcon; 309 struct cil_sort *pirqcon; 310 struct cil_sort *iomemcon; 311 struct cil_sort *ioportcon; 312 struct cil_sort *pcidevicecon; 313 struct cil_sort *devicetreecon; 314 struct cil_sort *fsuse; 315 struct cil_list *userprefixes; 316 struct cil_list *selinuxusers; 317 struct cil_list *declared_strings; 318 int num_types_and_attrs; 319 int num_classes; 320 int num_cats; 321 int num_types; 322 int num_roles; 323 int num_users; 324 struct cil_type **val_to_type; 325 struct cil_role **val_to_role; 326 struct cil_user **val_to_user; 327 int disable_dontaudit; 328 int disable_neverallow; 329 int attrs_expand_generated; 330 unsigned attrs_expand_size; 331 int preserve_tunables; 332 int handle_unknown; 333 int mls; 334 int multiple_decls; 335 int qualified_names; 336 int target_platform; 337 int policy_version; 338 }; 339 340 struct cil_root { 341 symtab_t symtab[CIL_SYM_NUM]; 342 }; 343 344 struct cil_sort { 345 enum cil_flavor flavor; 346 uint32_t count; 347 uint32_t index; 348 void **array; 349 }; 350 351 struct cil_ordered { 352 int merged; 353 struct cil_list *strs; 354 struct cil_list *datums; 355 }; 356 357 struct cil_block { 358 struct cil_symtab_datum datum; 359 symtab_t symtab[CIL_SYM_NUM]; 360 uint16_t is_abstract; 361 struct cil_list *bi_nodes; 362 }; 363 364 struct cil_blockinherit { 365 char *block_str; 366 struct cil_block *block; 367 }; 368 369 struct cil_blockabstract { 370 char *block_str; 371 struct cil_block *block; 372 }; 373 374 struct cil_in { 375 symtab_t symtab[CIL_SYM_NUM]; 376 int is_after; 377 char *block_str; 378 struct cil_block *block; 379 }; 380 381 struct cil_optional { 382 struct cil_symtab_datum datum; 383 }; 384 385 struct cil_perm { 386 struct cil_symtab_datum datum; 387 unsigned int value; 388 struct cil_list *classperms; /* Only used for map perms */ 389 }; 390 391 struct cil_class { 392 struct cil_symtab_datum datum; 393 symtab_t perms; 394 unsigned int num_perms; 395 struct cil_class *common; /* Only used for kernel class */ 396 uint32_t ordered; /* Only used for kernel class */ 397 }; 398 399 struct cil_classperms_set { 400 char *set_str; 401 struct cil_classpermission *set; 402 }; 403 404 struct cil_classperms { 405 char *class_str; 406 struct cil_class *class; 407 struct cil_list *perm_strs; 408 struct cil_list *perms; 409 }; 410 411 struct cil_classpermission { 412 struct cil_symtab_datum datum; 413 struct cil_list *classperms; 414 }; 415 416 struct cil_classpermissionset { 417 char *set_str; 418 struct cil_classpermission *set; 419 struct cil_list *classperms; 420 }; 421 422 struct cil_classmapping { 423 char *map_class_str; 424 struct cil_class *map_class; 425 char *map_perm_str; 426 struct cil_perm *map_perm; 427 struct cil_list *classperms; 428 }; 429 430 struct cil_classcommon { 431 char *class_str; 432 struct cil_class *class; 433 char *common_str; 434 struct cil_class *common; 435 }; 436 437 struct cil_alias { 438 struct cil_symtab_datum datum; 439 void *actual; 440 }; 441 442 struct cil_aliasactual { 443 char *alias_str; 444 void *alias; 445 char *actual_str; 446 void *actual; 447 }; 448 449 struct cil_sid { 450 struct cil_symtab_datum datum; 451 struct cil_context *context; 452 uint32_t ordered; 453 }; 454 455 struct cil_sidcontext { 456 char *sid_str; 457 struct cil_sid *sid; 458 char *context_str; 459 struct cil_context *context; 460 }; 461 462 struct cil_user { 463 struct cil_symtab_datum datum; 464 struct cil_user *bounds; 465 ebitmap_t *roles; 466 struct cil_level *dftlevel; 467 struct cil_levelrange *range; 468 int value; 469 }; 470 471 struct cil_userattribute { 472 struct cil_symtab_datum datum; 473 struct cil_list *expr_list; 474 ebitmap_t *users; 475 }; 476 477 struct cil_userattributeset { 478 char *attr_str; 479 struct cil_userattribute *attr; 480 struct cil_list *str_expr; 481 struct cil_list *datum_expr; 482 }; 483 484 struct cil_userrole { 485 char *user_str; 486 void *user; 487 char *role_str; 488 void *role; 489 }; 490 491 struct cil_userlevel { 492 char *user_str; 493 void *user; 494 char *level_str; 495 struct cil_level *level; 496 }; 497 498 struct cil_userrange { 499 char *user_str; 500 void *user; 501 char *range_str; 502 struct cil_levelrange *range; 503 }; 504 505 struct cil_userprefix { 506 char *user_str; 507 struct cil_user *user; 508 char *prefix_str; 509 }; 510 511 struct cil_selinuxuser { 512 char *name_str; 513 char *user_str; 514 struct cil_user *user; 515 char *range_str; 516 struct cil_levelrange *range; 517 }; 518 519 struct cil_role { 520 struct cil_symtab_datum datum; 521 struct cil_role *bounds; 522 ebitmap_t *types; 523 int value; 524 }; 525 526 struct cil_roleattribute { 527 struct cil_symtab_datum datum; 528 struct cil_list *expr_list; 529 ebitmap_t *roles; 530 }; 531 532 struct cil_roleattributeset { 533 char *attr_str; 534 struct cil_roleattribute *attr; 535 struct cil_list *str_expr; 536 struct cil_list *datum_expr; 537 }; 538 539 struct cil_roletype { 540 char *role_str; 541 void *role; /* role or attribute */ 542 char *type_str; 543 void *type; /* type, alias, or attribute */ 544 }; 545 546 struct cil_type { 547 struct cil_symtab_datum datum; 548 struct cil_type *bounds; 549 int value; 550 }; 551 552 #define CIL_ATTR_AVRULE (1 << 0) 553 #define CIL_ATTR_NEVERALLOW (1 << 1) 554 #define CIL_ATTR_CONSTRAINT (1 << 2) 555 #define CIL_ATTR_EXPAND_TRUE (1 << 3) 556 #define CIL_ATTR_EXPAND_FALSE (1 << 4) 557 struct cil_typeattribute { 558 struct cil_symtab_datum datum; 559 struct cil_list *expr_list; 560 ebitmap_t *types; 561 int used; // whether or not this attribute was used in a binary policy rule 562 int keep; 563 }; 564 565 struct cil_typeattributeset { 566 char *attr_str; 567 struct cil_typeattribute *attr; 568 struct cil_list *str_expr; 569 struct cil_list *datum_expr; 570 }; 571 572 struct cil_expandtypeattribute { 573 struct cil_list *attr_strs; 574 struct cil_list *attr_datums; 575 int expand; 576 }; 577 578 struct cil_typepermissive { 579 char *type_str; 580 void *type; /* type or alias */ 581 }; 582 583 struct cil_nametypetransition { 584 char *src_str; 585 void *src; /* type, alias, or attribute */ 586 char *tgt_str; 587 void *tgt; /* type, alias, or attribute */ 588 char *obj_str; 589 struct cil_class *obj; 590 char *name_str; 591 struct cil_symtab_datum *name; 592 char *result_str; 593 void *result; /* type or alias */ 594 595 }; 596 597 struct cil_rangetransition { 598 char *src_str; 599 void *src; /* type, alias, or attribute */ 600 char *exec_str; 601 void *exec; /* type, alias, or attribute */ 602 char *obj_str; 603 struct cil_class *obj; 604 char *range_str; 605 struct cil_levelrange *range; 606 }; 607 608 struct cil_bool { 609 struct cil_symtab_datum datum; 610 uint16_t value; 611 }; 612 613 struct cil_tunable { 614 struct cil_symtab_datum datum; 615 uint16_t value; 616 }; 617 618 #define CIL_AVRULE_ALLOWED 1 619 #define CIL_AVRULE_AUDITALLOW 2 620 #define CIL_AVRULE_DONTAUDIT 8 621 #define CIL_AVRULE_NEVERALLOW 128 622 #define CIL_AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW) 623 struct cil_avrule { 624 int is_extended; 625 uint32_t rule_kind; 626 char *src_str; 627 void *src; /* type, alias, or attribute */ 628 char *tgt_str; 629 void *tgt; /* type, alias, or attribute */ 630 union { 631 struct cil_list *classperms; 632 struct { 633 char *permx_str; 634 struct cil_permissionx *permx; 635 } x; 636 } perms; 637 }; 638 639 #define CIL_PERMX_KIND_IOCTL 1 640 #define CIL_PERMX_KIND_NLMSG 2 641 struct cil_permissionx { 642 struct cil_symtab_datum datum; 643 uint32_t kind; 644 char *obj_str; 645 struct cil_class *obj; 646 struct cil_list *expr_str; 647 ebitmap_t *perms; 648 }; 649 650 struct cil_deny_rule { 651 char *src_str; 652 void *src; /* type, alias, or attribute */ 653 char *tgt_str; 654 void *tgt; /* type, alias, or attribute */ 655 struct cil_list *classperms; 656 }; 657 658 #define CIL_TYPE_TRANSITION 16 659 #define CIL_TYPE_MEMBER 32 660 #define CIL_TYPE_CHANGE 64 661 #define CIL_AVRULE_TYPE (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE) 662 struct cil_type_rule { 663 uint32_t rule_kind; 664 char *src_str; 665 void *src; /* type, alias, or attribute */ 666 char *tgt_str; 667 void *tgt; /* type, alias, or attribute */ 668 char *obj_str; 669 struct cil_class *obj; 670 char *result_str; 671 void *result; /* type or alias */ 672 }; 673 674 struct cil_roletransition { 675 char *src_str; 676 struct cil_role *src; 677 char *tgt_str; 678 void *tgt; /* type, alias, or attribute */ 679 char *obj_str; 680 struct cil_class *obj; 681 char *result_str; 682 struct cil_role *result; 683 }; 684 685 struct cil_roleallow { 686 char *src_str; 687 void *src; /* role or attribute */ 688 char *tgt_str; 689 void *tgt; /* role or attribute */ 690 }; 691 692 struct cil_sens { 693 struct cil_symtab_datum datum; 694 struct cil_list *cats_list; 695 uint32_t ordered; 696 }; 697 698 struct cil_cat { 699 struct cil_symtab_datum datum; 700 uint32_t ordered; 701 int value; 702 }; 703 704 struct cil_cats { 705 uint32_t evaluated; 706 struct cil_list *str_expr; 707 struct cil_list *datum_expr; 708 }; 709 710 struct cil_catset { 711 struct cil_symtab_datum datum; 712 struct cil_cats *cats; 713 }; 714 715 struct cil_senscat { 716 char *sens_str; 717 struct cil_sens *sens; 718 struct cil_cats *cats; 719 }; 720 721 struct cil_level { 722 struct cil_symtab_datum datum; 723 char *sens_str; 724 struct cil_sens *sens; 725 struct cil_cats *cats; 726 }; 727 728 struct cil_levelrange { 729 struct cil_symtab_datum datum; 730 char *low_str; 731 struct cil_level *low; 732 char *high_str; 733 struct cil_level *high; 734 }; 735 736 struct cil_context { 737 struct cil_symtab_datum datum; 738 char *user_str; 739 struct cil_user *user; 740 char *role_str; 741 struct cil_role *role; 742 char *type_str; 743 void *type; /* type or alias */ 744 char *range_str; 745 struct cil_levelrange *range; 746 }; 747 748 enum cil_filecon_types { 749 CIL_FILECON_ANY = 0, 750 CIL_FILECON_FILE, 751 CIL_FILECON_DIR, 752 CIL_FILECON_CHAR, 753 CIL_FILECON_BLOCK, 754 CIL_FILECON_SOCKET, 755 CIL_FILECON_PIPE, 756 CIL_FILECON_SYMLINK, 757 }; 758 759 struct cil_filecon { 760 char *path_str; 761 struct cil_symtab_datum *path; 762 enum cil_filecon_types type; 763 char *context_str; 764 struct cil_context *context; 765 }; 766 767 enum cil_protocol { 768 CIL_PROTOCOL_UDP = 1, 769 CIL_PROTOCOL_TCP, 770 CIL_PROTOCOL_DCCP, 771 CIL_PROTOCOL_SCTP 772 }; 773 774 struct cil_ibpkeycon { 775 char *subnet_prefix_str; 776 uint32_t pkey_low; 777 uint32_t pkey_high; 778 char *context_str; 779 struct cil_context *context; 780 }; 781 782 struct cil_portcon { 783 enum cil_protocol proto; 784 uint32_t port_low; 785 uint32_t port_high; 786 char *context_str; 787 struct cil_context *context; 788 }; 789 790 struct cil_nodecon { 791 char *addr_str; 792 struct cil_ipaddr *addr; 793 char *mask_str; 794 struct cil_ipaddr *mask; 795 char *context_str; 796 struct cil_context *context; 797 }; 798 799 struct cil_ipaddr { 800 struct cil_symtab_datum datum; 801 int family; 802 union { 803 struct in_addr v4; 804 struct in6_addr v6; 805 } ip; 806 }; 807 808 struct cil_genfscon { 809 char *fs_str; 810 char *path_str; 811 enum cil_filecon_types file_type; 812 char *context_str; 813 struct cil_context *context; 814 }; 815 816 struct cil_netifcon { 817 char *interface_str; 818 char *if_context_str; 819 struct cil_context *if_context; 820 char *packet_context_str; 821 struct cil_context *packet_context; 822 char *context_str; 823 }; 824 825 struct cil_ibendportcon { 826 char *dev_name_str; 827 uint32_t port; 828 char *context_str; 829 struct cil_context *context; 830 }; 831 struct cil_pirqcon { 832 uint32_t pirq; 833 char *context_str; 834 struct cil_context *context; 835 }; 836 837 struct cil_iomemcon { 838 uint64_t iomem_low; 839 uint64_t iomem_high; 840 char *context_str; 841 struct cil_context *context; 842 }; 843 844 struct cil_ioportcon { 845 uint32_t ioport_low; 846 uint32_t ioport_high; 847 char *context_str; 848 struct cil_context *context; 849 }; 850 851 struct cil_pcidevicecon { 852 uint32_t dev; 853 char *context_str; 854 struct cil_context *context; 855 }; 856 857 struct cil_devicetreecon { 858 char *path; 859 char *context_str; 860 struct cil_context *context; 861 }; 862 863 864 /* Ensure that CIL uses the same values as sepol services.h */ 865 enum cil_fsuse_types { 866 CIL_FSUSE_XATTR = SECURITY_FS_USE_XATTR, 867 CIL_FSUSE_TASK = SECURITY_FS_USE_TASK, 868 CIL_FSUSE_TRANS = SECURITY_FS_USE_TRANS 869 }; 870 871 struct cil_fsuse { 872 enum cil_fsuse_types type; 873 char *fs_str; 874 char *context_str; 875 struct cil_context *context; 876 }; 877 878 #define CIL_MLS_LEVELS "l1 l2 h1 h2" 879 #define CIL_CONSTRAIN_KEYS "t1 t2 r1 r2 u1 u2" 880 #define CIL_MLSCONSTRAIN_KEYS CIL_MLS_LEVELS CIL_CONSTRAIN_KEYS 881 #define CIL_CONSTRAIN_OPER "== != eq dom domby incomp not and or" 882 struct cil_constrain { 883 struct cil_list *classperms; 884 struct cil_list *str_expr; 885 struct cil_list *datum_expr; 886 }; 887 888 struct cil_validatetrans { 889 char *class_str; 890 struct cil_class *class; 891 struct cil_list *str_expr; 892 struct cil_list *datum_expr; 893 }; 894 895 struct cil_param { 896 char *str; 897 enum cil_flavor flavor; 898 }; 899 900 struct cil_macro { 901 struct cil_symtab_datum datum; 902 symtab_t symtab[CIL_SYM_NUM]; 903 struct cil_list *params; 904 }; 905 906 struct cil_args { 907 char *arg_str; 908 struct cil_symtab_datum *arg; 909 char *param_str; 910 enum cil_flavor flavor; 911 }; 912 913 struct cil_call { 914 char *macro_str; 915 struct cil_macro *macro; 916 struct cil_tree *args_tree; 917 struct cil_list *args; 918 int copied; 919 }; 920 921 #define CIL_TRUE 1 922 #define CIL_FALSE 0 923 924 struct cil_condblock { 925 enum cil_flavor flavor; 926 symtab_t symtab[CIL_SYM_NUM]; 927 }; 928 929 struct cil_booleanif { 930 struct cil_list *str_expr; 931 struct cil_list *datum_expr; 932 int preserved_tunable; 933 }; 934 935 struct cil_tunableif { 936 struct cil_list *str_expr; 937 struct cil_list *datum_expr; 938 }; 939 940 struct cil_policycap { 941 struct cil_symtab_datum datum; 942 }; 943 944 struct cil_bounds { 945 char *parent_str; 946 void *parent; 947 char *child_str; 948 void *child; 949 }; 950 951 /* Ensure that CIL uses the same values as sepol policydb.h */ 952 enum cil_default_object { 953 CIL_DEFAULT_SOURCE = DEFAULT_SOURCE, 954 CIL_DEFAULT_TARGET = DEFAULT_TARGET, 955 }; 956 957 /* Default labeling behavior for users, roles, and types */ 958 struct cil_default { 959 enum cil_flavor flavor; 960 struct cil_list *class_strs; 961 struct cil_list *class_datums; 962 enum cil_default_object object; 963 }; 964 965 /* Ensure that CIL uses the same values as sepol policydb.h */ 966 enum cil_default_object_range { 967 CIL_DEFAULT_SOURCE_LOW = DEFAULT_SOURCE_LOW, 968 CIL_DEFAULT_SOURCE_HIGH = DEFAULT_SOURCE_HIGH, 969 CIL_DEFAULT_SOURCE_LOW_HIGH = DEFAULT_SOURCE_LOW_HIGH, 970 CIL_DEFAULT_TARGET_LOW = DEFAULT_TARGET_LOW, 971 CIL_DEFAULT_TARGET_HIGH = DEFAULT_TARGET_HIGH, 972 CIL_DEFAULT_TARGET_LOW_HIGH = DEFAULT_TARGET_LOW_HIGH, 973 CIL_DEFAULT_GLBLUB = DEFAULT_GLBLUB, 974 }; 975 976 /* Default labeling behavior for range */ 977 struct cil_defaultrange { 978 struct cil_list *class_strs; 979 struct cil_list *class_datums; 980 enum cil_default_object_range object_range; 981 }; 982 983 struct cil_handleunknown { 984 int handle_unknown; 985 }; 986 987 struct cil_mls { 988 int value; 989 }; 990 991 struct cil_src_info { 992 char *kind; 993 uint32_t hll_line; 994 char *path; 995 }; 996 997 void cil_db_init(struct cil_db **db); 998 void cil_db_destroy(struct cil_db **db); 999 1000 void cil_root_init(struct cil_root **root); 1001 void cil_root_destroy(struct cil_root *root); 1002 1003 void cil_destroy_data(void **data, enum cil_flavor flavor); 1004 1005 int cil_flavor_to_symtab_index(enum cil_flavor flavor, enum cil_sym_index *index); 1006 const char * cil_node_to_string(struct cil_tree_node *node); 1007 1008 int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size); 1009 int cil_selinuxusers_to_string(struct cil_db *db, char **out, size_t *size); 1010 int cil_filecons_to_string(struct cil_db *db, char **out, size_t *size); 1011 1012 void cil_symtab_array_init(symtab_t symtab[], const int symtab_sizes[CIL_SYM_NUM]); 1013 void cil_symtab_array_destroy(symtab_t symtab[]); 1014 void cil_destroy_ast_symtabs(struct cil_tree_node *root); 1015 int cil_get_symtab(struct cil_tree_node *ast_node, symtab_t **symtab, enum cil_sym_index sym_index); 1016 int cil_string_to_uint32(const char *string, uint32_t *value, int base); 1017 int cil_string_to_uint64(const char *string, uint64_t *value, int base); 1018 1019 void cil_sort_init(struct cil_sort **sort); 1020 void cil_sort_destroy(struct cil_sort **sort); 1021 void cil_ordered_init(struct cil_ordered **ordered); 1022 void cil_netifcon_init(struct cil_netifcon **netifcon); 1023 void cil_ibendportcon_init(struct cil_ibendportcon **ibendportcon); 1024 void cil_context_init(struct cil_context **context); 1025 void cil_level_init(struct cil_level **level); 1026 void cil_levelrange_init(struct cil_levelrange **lvlrange); 1027 void cil_sens_init(struct cil_sens **sens); 1028 void cil_block_init(struct cil_block **block); 1029 void cil_blockinherit_init(struct cil_blockinherit **inherit); 1030 void cil_blockabstract_init(struct cil_blockabstract **abstract); 1031 void cil_in_init(struct cil_in **in); 1032 void cil_class_init(struct cil_class **class); 1033 void cil_classcommon_init(struct cil_classcommon **classcommon); 1034 void cil_sid_init(struct cil_sid **sid); 1035 void cil_sidcontext_init(struct cil_sidcontext **sidcontext); 1036 void cil_userrole_init(struct cil_userrole **userrole); 1037 void cil_userprefix_init(struct cil_userprefix **userprefix); 1038 void cil_selinuxuser_init(struct cil_selinuxuser **selinuxuser); 1039 void cil_roleattribute_init(struct cil_roleattribute **attribute); 1040 void cil_roleattributeset_init(struct cil_roleattributeset **attrset); 1041 void cil_roletype_init(struct cil_roletype **roletype); 1042 void cil_typeattribute_init(struct cil_typeattribute **attribute); 1043 void cil_typeattributeset_init(struct cil_typeattributeset **attrset); 1044 void cil_expandtypeattribute_init(struct cil_expandtypeattribute **expandattr); 1045 void cil_alias_init(struct cil_alias **alias); 1046 void cil_aliasactual_init(struct cil_aliasactual **aliasactual); 1047 void cil_typepermissive_init(struct cil_typepermissive **typeperm); 1048 void cil_nametypetransition_init(struct cil_nametypetransition **nametypetrans); 1049 void cil_rangetransition_init(struct cil_rangetransition **rangetrans); 1050 void cil_bool_init(struct cil_bool **cilbool); 1051 void cil_boolif_init(struct cil_booleanif **bif); 1052 void cil_condblock_init(struct cil_condblock **cb); 1053 void cil_tunable_init(struct cil_tunable **ciltun); 1054 void cil_tunif_init(struct cil_tunableif **tif); 1055 void cil_avrule_init(struct cil_avrule **avrule); 1056 void cil_permissionx_init(struct cil_permissionx **permx); 1057 void cil_deny_rule_init(struct cil_deny_rule **rule); 1058 void cil_type_rule_init(struct cil_type_rule **type_rule); 1059 void cil_roletransition_init(struct cil_roletransition **roletrans); 1060 void cil_roleallow_init(struct cil_roleallow **role_allow); 1061 void cil_catset_init(struct cil_catset **catset); 1062 void cil_cats_init(struct cil_cats **cats); 1063 void cil_senscat_init(struct cil_senscat **senscat); 1064 void cil_filecon_init(struct cil_filecon **filecon); 1065 void cil_ibpkeycon_init(struct cil_ibpkeycon **ibpkeycon); 1066 void cil_portcon_init(struct cil_portcon **portcon); 1067 void cil_nodecon_init(struct cil_nodecon **nodecon); 1068 void cil_genfscon_init(struct cil_genfscon **genfscon); 1069 void cil_pirqcon_init(struct cil_pirqcon **pirqcon); 1070 void cil_iomemcon_init(struct cil_iomemcon **iomemcon); 1071 void cil_ioportcon_init(struct cil_ioportcon **ioportcon); 1072 void cil_pcidevicecon_init(struct cil_pcidevicecon **pcidevicecon); 1073 void cil_devicetreecon_init(struct cil_devicetreecon **devicetreecon); 1074 void cil_fsuse_init(struct cil_fsuse **fsuse); 1075 void cil_constrain_init(struct cil_constrain **constrain); 1076 void cil_validatetrans_init(struct cil_validatetrans **validtrans); 1077 void cil_ipaddr_init(struct cil_ipaddr **ipaddr); 1078 void cil_perm_init(struct cil_perm **perm); 1079 void cil_classpermission_init(struct cil_classpermission **cp); 1080 void cil_classpermissionset_init(struct cil_classpermissionset **cps); 1081 void cil_classperms_set_init(struct cil_classperms_set **cp_set); 1082 void cil_classperms_init(struct cil_classperms **cp); 1083 void cil_classmapping_init(struct cil_classmapping **mapping); 1084 void cil_user_init(struct cil_user **user); 1085 void cil_userlevel_init(struct cil_userlevel **usrlvl); 1086 void cil_userrange_init(struct cil_userrange **userrange); 1087 void cil_role_init(struct cil_role **role); 1088 void cil_type_init(struct cil_type **type); 1089 void cil_cat_init(struct cil_cat **cat); 1090 void cil_args_init(struct cil_args **args); 1091 void cil_call_init(struct cil_call **call); 1092 void cil_optional_init(struct cil_optional **optional); 1093 void cil_param_init(struct cil_param **param); 1094 void cil_macro_init(struct cil_macro **macro); 1095 void cil_policycap_init(struct cil_policycap **policycap); 1096 void cil_bounds_init(struct cil_bounds **bounds); 1097 void cil_default_init(struct cil_default **def); 1098 void cil_defaultrange_init(struct cil_defaultrange **def); 1099 void cil_handleunknown_init(struct cil_handleunknown **unk); 1100 void cil_mls_init(struct cil_mls **mls); 1101 void cil_src_info_init(struct cil_src_info **info); 1102 void cil_userattribute_init(struct cil_userattribute **attribute); 1103 void cil_userattributeset_init(struct cil_userattributeset **attrset); 1104 1105 #endif 1106