1*2d543d20SAndroid Build Coastguard Worker /* Author : Joshua Brindle <[email protected]> 2*2d543d20SAndroid Build Coastguard Worker * Karl MacMillan <[email protected]> 3*2d543d20SAndroid Build Coastguard Worker * Jason Tang <[email protected]> 4*2d543d20SAndroid Build Coastguard Worker * Added support for binary policy modules 5*2d543d20SAndroid Build Coastguard Worker * 6*2d543d20SAndroid Build Coastguard Worker * Copyright (C) 2004 - 2005 Tresys Technology, LLC 7*2d543d20SAndroid Build Coastguard Worker * This program is free software; you can redistribute it and/or modify 8*2d543d20SAndroid Build Coastguard Worker * it under the terms of the GNU General Public License as published by 9*2d543d20SAndroid Build Coastguard Worker * the Free Software Foundation, version 2. 10*2d543d20SAndroid Build Coastguard Worker */ 11*2d543d20SAndroid Build Coastguard Worker 12*2d543d20SAndroid Build Coastguard Worker #ifndef MODULE_COMPILER_H 13*2d543d20SAndroid Build Coastguard Worker #define MODULE_COMPILER_H 14*2d543d20SAndroid Build Coastguard Worker 15*2d543d20SAndroid Build Coastguard Worker #include <sepol/policydb/hashtab.h> 16*2d543d20SAndroid Build Coastguard Worker 17*2d543d20SAndroid Build Coastguard Worker /* Called when checkpolicy begins to parse a policy -- either at the 18*2d543d20SAndroid Build Coastguard Worker * very beginning for a kernel/base policy, or after the module header 19*2d543d20SAndroid Build Coastguard Worker * for policy modules. Initialize the memory structures within. 20*2d543d20SAndroid Build Coastguard Worker * Return 0 on success, -1 on error. */ 21*2d543d20SAndroid Build Coastguard Worker int define_policy(int pass, int module_header_given); 22*2d543d20SAndroid Build Coastguard Worker 23*2d543d20SAndroid Build Coastguard Worker /* Declare a symbol declaration to the current avrule_decl. Check 24*2d543d20SAndroid Build Coastguard Worker * that insertion is allowed here and that the symbol does not already 25*2d543d20SAndroid Build Coastguard Worker * exist. Returns 0 on success, 1 if symbol was already there (caller 26*2d543d20SAndroid Build Coastguard Worker * needs to free() the datum), -1 if declarations not allowed, -2 for 27*2d543d20SAndroid Build Coastguard Worker * duplicate declarations, -3 for all else. 28*2d543d20SAndroid Build Coastguard Worker */ 29*2d543d20SAndroid Build Coastguard Worker int declare_symbol(uint32_t symbol_type, 30*2d543d20SAndroid Build Coastguard Worker hashtab_key_t key, hashtab_datum_t datum, 31*2d543d20SAndroid Build Coastguard Worker uint32_t * dest_value, uint32_t * datum_value); 32*2d543d20SAndroid Build Coastguard Worker 33*2d543d20SAndroid Build Coastguard Worker role_datum_t *declare_role(unsigned char isattr); 34*2d543d20SAndroid Build Coastguard Worker type_datum_t *declare_type(unsigned char primary, unsigned char isattr); 35*2d543d20SAndroid Build Coastguard Worker user_datum_t *declare_user(void); 36*2d543d20SAndroid Build Coastguard Worker 37*2d543d20SAndroid Build Coastguard Worker type_datum_t *get_local_type(char *id, uint32_t value, unsigned char isattr); 38*2d543d20SAndroid Build Coastguard Worker role_datum_t *get_local_role(char *id, uint32_t value, unsigned char isattr); 39*2d543d20SAndroid Build Coastguard Worker 40*2d543d20SAndroid Build Coastguard Worker /* Add a symbol to the current avrule_block's require section. Note 41*2d543d20SAndroid Build Coastguard Worker * that a module may not both declare and require the same symbol. 42*2d543d20SAndroid Build Coastguard Worker * Returns 0 on success, -1 on error. */ 43*2d543d20SAndroid Build Coastguard Worker int require_symbol(uint32_t symbol_type, 44*2d543d20SAndroid Build Coastguard Worker hashtab_key_t key, hashtab_datum_t datum, 45*2d543d20SAndroid Build Coastguard Worker uint32_t * dest_value, uint32_t * datum_value); 46*2d543d20SAndroid Build Coastguard Worker 47*2d543d20SAndroid Build Coastguard Worker /* Enable a permission for a class within the current avrule_decl. 48*2d543d20SAndroid Build Coastguard Worker * Return 0 on success, -1 if out of memory. */ 49*2d543d20SAndroid Build Coastguard Worker int add_perm_to_class(uint32_t perm_value, uint32_t class_value); 50*2d543d20SAndroid Build Coastguard Worker 51*2d543d20SAndroid Build Coastguard Worker /* Functions called from REQUIRE blocks. Add the first symbol on the 52*2d543d20SAndroid Build Coastguard Worker * id_queue to this avrule_decl's scope if not already there. 53*2d543d20SAndroid Build Coastguard Worker * c.f. require_symbol(). */ 54*2d543d20SAndroid Build Coastguard Worker int require_class(int pass); 55*2d543d20SAndroid Build Coastguard Worker int require_role(int pass); 56*2d543d20SAndroid Build Coastguard Worker int require_type(int pass); 57*2d543d20SAndroid Build Coastguard Worker int require_attribute(int pass); 58*2d543d20SAndroid Build Coastguard Worker int require_attribute_role(int pass); 59*2d543d20SAndroid Build Coastguard Worker int require_user(int pass); 60*2d543d20SAndroid Build Coastguard Worker int require_bool(int pass); 61*2d543d20SAndroid Build Coastguard Worker int require_tunable(int pass); 62*2d543d20SAndroid Build Coastguard Worker int require_sens(int pass); 63*2d543d20SAndroid Build Coastguard Worker int require_cat(int pass); 64*2d543d20SAndroid Build Coastguard Worker 65*2d543d20SAndroid Build Coastguard Worker /* Check if an identifier is within the scope of the current 66*2d543d20SAndroid Build Coastguard Worker * declaration or any of its parents. Return 1 if it is, 0 if not. 67*2d543d20SAndroid Build Coastguard Worker * If the identifier is not known at all then return 1 (truth). */ 68*2d543d20SAndroid Build Coastguard Worker int is_id_in_scope(uint32_t symbol_type, const_hashtab_key_t id); 69*2d543d20SAndroid Build Coastguard Worker 70*2d543d20SAndroid Build Coastguard Worker /* Check if a particular permission is within the scope of the current 71*2d543d20SAndroid Build Coastguard Worker * declaration or any of its parents. Return 1 if it is, 0 if not. 72*2d543d20SAndroid Build Coastguard Worker * If the identifier is not known at all then return 1 (truth). */ 73*2d543d20SAndroid Build Coastguard Worker int is_perm_in_scope(const_hashtab_key_t perm_id, const_hashtab_key_t class_id); 74*2d543d20SAndroid Build Coastguard Worker 75*2d543d20SAndroid Build Coastguard Worker /* Search the current avrules block for a conditional with the same 76*2d543d20SAndroid Build Coastguard Worker * expression as 'cond'. If the conditional does not exist then 77*2d543d20SAndroid Build Coastguard Worker * create one. Either way, return the conditional. */ 78*2d543d20SAndroid Build Coastguard Worker cond_list_t *get_current_cond_list(cond_list_t * cond); 79*2d543d20SAndroid Build Coastguard Worker 80*2d543d20SAndroid Build Coastguard Worker /* Append rule to the current avrule_block. */ 81*2d543d20SAndroid Build Coastguard Worker void append_cond_list(cond_list_t * cond); 82*2d543d20SAndroid Build Coastguard Worker void append_avrule(avrule_t * avrule); 83*2d543d20SAndroid Build Coastguard Worker void append_role_trans(role_trans_rule_t * role_tr_rules); 84*2d543d20SAndroid Build Coastguard Worker void append_role_allow(role_allow_rule_t * role_allow_rules); 85*2d543d20SAndroid Build Coastguard Worker void append_range_trans(range_trans_rule_t * range_tr_rules); 86*2d543d20SAndroid Build Coastguard Worker void append_filename_trans(filename_trans_rule_t * filename_trans_rules); 87*2d543d20SAndroid Build Coastguard Worker 88*2d543d20SAndroid Build Coastguard Worker /* Create a new optional block and add it to the global policy. 89*2d543d20SAndroid Build Coastguard Worker * During the second pass resolve the block's requirements. Return 0 90*2d543d20SAndroid Build Coastguard Worker * on success, -1 on error. 91*2d543d20SAndroid Build Coastguard Worker */ 92*2d543d20SAndroid Build Coastguard Worker int begin_optional(int pass); 93*2d543d20SAndroid Build Coastguard Worker int end_optional(int pass); 94*2d543d20SAndroid Build Coastguard Worker 95*2d543d20SAndroid Build Coastguard Worker /* ELSE blocks are similar to normal blocks with the following two 96*2d543d20SAndroid Build Coastguard Worker * limitations: 97*2d543d20SAndroid Build Coastguard Worker * - no declarations are allowed within else branches 98*2d543d20SAndroid Build Coastguard Worker * - no REQUIRES are allowed; the else branch inherits the parent's 99*2d543d20SAndroid Build Coastguard Worker * requirements 100*2d543d20SAndroid Build Coastguard Worker */ 101*2d543d20SAndroid Build Coastguard Worker int begin_optional_else(int pass); 102*2d543d20SAndroid Build Coastguard Worker 103*2d543d20SAndroid Build Coastguard Worker /* Called whenever existing an avrule block. Check that the block had 104*2d543d20SAndroid Build Coastguard Worker * a non-empty REQUIRE section. If so pop the block off of the scop 105*2d543d20SAndroid Build Coastguard Worker * stack and return 0. If not then send an error to yyerror and 106*2d543d20SAndroid Build Coastguard Worker * return -1. */ 107*2d543d20SAndroid Build Coastguard Worker int end_avrule_block(int pass); 108*2d543d20SAndroid Build Coastguard Worker 109*2d543d20SAndroid Build Coastguard Worker #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION 110*2d543d20SAndroid Build Coastguard Worker void module_compiler_reset(void); 111*2d543d20SAndroid Build Coastguard Worker #endif 112*2d543d20SAndroid Build Coastguard Worker 113*2d543d20SAndroid Build Coastguard Worker #endif 114