Home | History | Annotate | Download | only in checkpolicy 
      1 /* Author : Joshua Brindle <jbrindle (at) tresys.com>
      2  *	    Karl MacMillan <kmacmillan (at) tresys.com>
      3  *          Jason Tang     <jtang (at) tresys.com>
      4  *	Added support for binary policy modules
      5  *
      6  * Copyright (C) 2004 - 2005 Tresys Technology, LLC
      7  *	This program is free software; you can redistribute it and/or modify
      8  *  	it under the terms of the GNU General Public License as published by
      9  *	the Free Software Foundation, version 2.
     10  */
     11 
     12 #ifndef MODULE_COMPILER_H
     13 #define MODULE_COMPILER_H
     14 
     15 #include <sepol/policydb/hashtab.h>
     16 
     17 /* Called when checkpolicy begins to parse a policy -- either at the
     18  * very beginning for a kernel/base policy, or after the module header
     19  * for policy modules.  Initialize the memory structures within.
     20  * Return 0 on success, -1 on error. */
     21 int define_policy(int pass, int module_header_given);
     22 
     23 /* Declare a symbol declaration to the current avrule_decl.  Check
     24  * that insertion is allowed here and that the symbol does not already
     25  * exist.  Returns 0 on success, 1 if symbol was already there (caller
     26  * needs to free() the datum), -1 if declarations not allowed, -2 for
     27  * duplicate declarations, -3 for all else.
     28  */
     29 int declare_symbol(uint32_t symbol_type,
     30 		   hashtab_key_t key, hashtab_datum_t datum,
     31 		   uint32_t * dest_value, uint32_t * datum_value);
     32 
     33 role_datum_t *declare_role(unsigned char isattr);
     34 type_datum_t *declare_type(unsigned char primary, unsigned char isattr);
     35 user_datum_t *declare_user(void);
     36 
     37 type_datum_t *get_local_type(char *id, uint32_t value, unsigned char isattr);
     38 role_datum_t *get_local_role(char *id, uint32_t value, unsigned char isattr);
     39 
     40 /* Add a symbol to the current avrule_block's require section.  Note
     41  * that a module may not both declare and require the same symbol.
     42  * Returns 0 on success, -1 on error. */
     43 int require_symbol(uint32_t symbol_type,
     44 		   hashtab_key_t key, hashtab_datum_t datum,
     45 		   uint32_t * dest_value, uint32_t * datum_value);
     46 
     47 /* Enable a permission for a class within the current avrule_decl.
     48  * Return 0 on success, -1 if out of memory. */
     49 int add_perm_to_class(uint32_t perm_value, uint32_t class_value);
     50 
     51 /* Functions called from REQUIRE blocks.  Add the first symbol on the
     52  * id_queue to this avrule_decl's scope if not already there.
     53  * c.f. require_symbol(). */
     54 int require_class(int pass);
     55 int require_role(int pass);
     56 int require_type(int pass);
     57 int require_attribute(int pass);
     58 int require_attribute_role(int pass);
     59 int require_user(int pass);
     60 int require_bool(int pass);
     61 int require_tunable(int pass);
     62 int require_sens(int pass);
     63 int require_cat(int pass);
     64 
     65 /* Check if an identifier is within the scope of the current
     66  * declaration or any of its parents.  Return 1 if it is, 0 if not.
     67  * If the identifier is not known at all then return 1 (truth).  */
     68 int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id);
     69 
     70 /* Check if a particular permission is within the scope of the current
     71  * declaration or any of its parents.  Return 1 if it is, 0 if not.
     72  * If the identifier is not known at all then return 1 (truth).  */
     73 int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id);
     74 
     75 /* Search the current avrules block for a conditional with the same
     76  * expression as 'cond'.  If the conditional does not exist then
     77  * create one.  Either way, return the conditional. */
     78 cond_list_t *get_current_cond_list(cond_list_t * cond);
     79 
     80 /* Append rule to the current avrule_block. */
     81 void append_cond_list(cond_list_t * cond);
     82 void append_avrule(avrule_t * avrule);
     83 void append_role_trans(role_trans_rule_t * role_tr_rules);
     84 void append_role_allow(role_allow_rule_t * role_allow_rules);
     85 void append_range_trans(range_trans_rule_t * range_tr_rules);
     86 void append_filename_trans(filename_trans_rule_t * filename_trans_rules);
     87 
     88 /* Create a new optional block and add it to the global policy.
     89  * During the second pass resolve the block's requirements.  Return 0
     90  * on success, -1 on error.
     91  */
     92 int begin_optional(int pass);
     93 int end_optional(int pass);
     94 
     95 /* ELSE blocks are similar to normal blocks with the following two
     96  * limitations:
     97  *   - no declarations are allowed within else branches
     98  *   - no REQUIRES are allowed; the else branch inherits the parent's
     99  *     requirements
    100  */
    101 int begin_optional_else(int pass);
    102 
    103 /* Called whenever existing an avrule block.  Check that the block had
    104  * a non-empty REQUIRE section.  If so pop the block off of the scop
    105  * stack and return 0.  If not then send an error to yyerror and
    106  * return -1. */
    107 int end_avrule_block(int pass);
    108 
    109 #endif
    110