Home | History | Annotate | Download | only in policydb
      1 /* Author : Stephen Smalley, <sds (at) epoch.ncsc.mil> */
      2 
      3 /*
      4  * Updated: Joshua Brindle <jbrindle (at) tresys.com>
      5  *	    Karl MacMillan <kmacmillan (at) tresys.com>
      6  *	    Jason Tang <jtang (at) tresys.com>
      7  *
      8  *	Module support
      9  *
     10  * Updated: Trusted Computer Solutions, Inc. <dgoeddel (at) trustedcs.com>
     11  *
     12  *	Support for enhanced MLS infrastructure.
     13  *
     14  * Updated: Frank Mayer <mayerf (at) tresys.com> and Karl MacMillan <kmacmillan (at) tresys.com>
     15  *
     16  * 	Added conditional policy language extensions
     17  *
     18  * Updated: Red Hat, Inc.  James Morris <jmorris (at) redhat.com>
     19  *
     20  *      Fine-grained netlink support
     21  *      IPv6 support
     22  *      Code cleanup
     23  *
     24  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
     25  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
     26  * Copyright (C) 2003 - 2004 Red Hat, Inc.
     27  *
     28  *  This library is free software; you can redistribute it and/or
     29  *  modify it under the terms of the GNU Lesser General Public
     30  *  License as published by the Free Software Foundation; either
     31  *  version 2.1 of the License, or (at your option) any later version.
     32  *
     33  *  This library is distributed in the hope that it will be useful,
     34  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
     35  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
     36  *  Lesser General Public License for more details.
     37  *
     38  *  You should have received a copy of the GNU Lesser General Public
     39  *  License along with this library; if not, write to the Free Software
     40  *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
     41  */
     42 
     43 /* FLASK */
     44 
     45 /*
     46  * A policy database (policydb) specifies the
     47  * configuration data for the security policy.
     48  */
     49 
     50 #ifndef _SEPOL_POLICYDB_POLICYDB_H_
     51 #define _SEPOL_POLICYDB_POLICYDB_H_
     52 
     53 #include <stdio.h>
     54 #include <stddef.h>
     55 
     56 #include <sepol/policydb.h>
     57 
     58 #include <sepol/policydb/flask_types.h>
     59 #include <sepol/policydb/symtab.h>
     60 #include <sepol/policydb/avtab.h>
     61 #include <sepol/policydb/context.h>
     62 #include <sepol/policydb/constraint.h>
     63 #include <sepol/policydb/sidtab.h>
     64 
     65 #define ERRMSG_LEN 1024
     66 
     67 #define POLICYDB_SUCCESS      0
     68 #define POLICYDB_ERROR       -1
     69 #define POLICYDB_UNSUPPORTED -2
     70 
     71 #ifdef __cplusplus
     72 extern "C" {
     73 #endif
     74 
     75 /*
     76  * A datum type is defined for each kind of symbol
     77  * in the configuration data:  individual permissions,
     78  * common prefixes for access vectors, classes,
     79  * users, roles, types, sensitivities, categories, etc.
     80  */
     81 
     82 /* type set preserves data needed by modules such as *, ~ and attributes */
     83 typedef struct type_set {
     84 	ebitmap_t types;
     85 	ebitmap_t negset;
     86 #define TYPE_STAR 1
     87 #define TYPE_COMP 2
     88 	uint32_t flags;
     89 } type_set_t;
     90 
     91 typedef struct role_set {
     92 	ebitmap_t roles;
     93 #define ROLE_STAR 1
     94 #define ROLE_COMP 2
     95 	uint32_t flags;
     96 } role_set_t;
     97 
     98 /* Permission attributes */
     99 typedef struct perm_datum {
    100 	symtab_datum_t s;
    101 } perm_datum_t;
    102 
    103 /* Attributes of a common prefix for access vectors */
    104 typedef struct common_datum {
    105 	symtab_datum_t s;
    106 	symtab_t permissions;	/* common permissions */
    107 } common_datum_t;
    108 
    109 /* Class attributes */
    110 typedef struct class_datum {
    111 	symtab_datum_t s;
    112 	char *comkey;		/* common name */
    113 	common_datum_t *comdatum;	/* common datum */
    114 	symtab_t permissions;	/* class-specific permission symbol table */
    115 	constraint_node_t *constraints;	/* constraints on class permissions */
    116 	constraint_node_t *validatetrans;	/* special transition rules */
    117 /* Options how a new object user and role should be decided */
    118 #define DEFAULT_SOURCE		1
    119 #define DEFAULT_TARGET		2
    120 	char default_user;
    121 	char default_role;
    122 	char default_type;
    123 /* Options how a new object range should be decided */
    124 #define DEFAULT_SOURCE_LOW	1
    125 #define DEFAULT_SOURCE_HIGH	2
    126 #define DEFAULT_SOURCE_LOW_HIGH	3
    127 #define DEFAULT_TARGET_LOW	4
    128 #define DEFAULT_TARGET_HIGH	5
    129 #define DEFAULT_TARGET_LOW_HIGH	6
    130 	char default_range;
    131 } class_datum_t;
    132 
    133 /* Role attributes */
    134 typedef struct role_datum {
    135 	symtab_datum_t s;
    136 	ebitmap_t dominates;	/* set of roles dominated by this role */
    137 	type_set_t types;	/* set of authorized types for role */
    138 	ebitmap_t cache;	/* This is an expanded set used for context validation during parsing */
    139 	uint32_t bounds;	/* bounds role, if exist */
    140 #define ROLE_ROLE 0		/* regular role in kernel policies */
    141 #define ROLE_ATTRIB 1		/* attribute */
    142 	uint32_t flavor;
    143 	ebitmap_t roles;	/* roles with this attribute */
    144 } role_datum_t;
    145 
    146 typedef struct role_trans {
    147 	uint32_t role;		/* current role */
    148 	uint32_t type;		/* program executable type, or new object type */
    149 	uint32_t tclass;	/* process class, or new object class */
    150 	uint32_t new_role;	/* new role */
    151 	struct role_trans *next;
    152 } role_trans_t;
    153 
    154 typedef struct role_allow {
    155 	uint32_t role;		/* current role */
    156 	uint32_t new_role;	/* new role */
    157 	struct role_allow *next;
    158 } role_allow_t;
    159 
    160 /* filename_trans rules */
    161 typedef struct filename_trans {
    162 	uint32_t stype;
    163 	uint32_t ttype;
    164 	uint32_t tclass;
    165 	char *name;
    166 } filename_trans_t;
    167 
    168 typedef struct filename_trans_datum {
    169 	uint32_t otype;		/* expected of new object */
    170 } filename_trans_datum_t;
    171 
    172 /* Type attributes */
    173 typedef struct type_datum {
    174 	symtab_datum_t s;
    175 	uint32_t primary;	/* primary name? can be set to primary value if below is TYPE_ */
    176 #define TYPE_TYPE 0		/* regular type or alias in kernel policies */
    177 #define TYPE_ATTRIB 1		/* attribute */
    178 #define TYPE_ALIAS 2		/* alias in modular policy */
    179 	uint32_t flavor;
    180 	ebitmap_t types;	/* types with this attribute */
    181 #define TYPE_FLAGS_PERMISSIVE	0x01
    182 	uint32_t flags;
    183 	uint32_t bounds;	/* bounds type, if exist */
    184 } type_datum_t;
    185 
    186 /*
    187  * Properties of type_datum
    188  * available on the policy version >= (MOD_)POLICYDB_VERSION_BOUNDARY
    189  */
    190 #define TYPEDATUM_PROPERTY_PRIMARY	0x0001
    191 #define TYPEDATUM_PROPERTY_ATTRIBUTE	0x0002
    192 #define TYPEDATUM_PROPERTY_ALIAS	0x0004	/* userspace only */
    193 #define TYPEDATUM_PROPERTY_PERMISSIVE	0x0008	/* userspace only */
    194 
    195 /* User attributes */
    196 typedef struct user_datum {
    197 	symtab_datum_t s;
    198 	role_set_t roles;	/* set of authorized roles for user */
    199 	mls_semantic_range_t range;	/* MLS range (min. - max.) for user */
    200 	mls_semantic_level_t dfltlevel;	/* default login MLS level for user */
    201 	ebitmap_t cache;	/* This is an expanded set used for context validation during parsing */
    202 	mls_range_t exp_range;     /* expanded range used for validation */
    203 	mls_level_t exp_dfltlevel; /* expanded range used for validation */
    204 	uint32_t bounds;	/* bounds user, if exist */
    205 } user_datum_t;
    206 
    207 /* Sensitivity attributes */
    208 typedef struct level_datum {
    209 	mls_level_t *level;	/* sensitivity and associated categories */
    210 	unsigned char isalias;	/* is this sensitivity an alias for another? */
    211 	unsigned char defined;
    212 } level_datum_t;
    213 
    214 /* Category attributes */
    215 typedef struct cat_datum {
    216 	symtab_datum_t s;
    217 	unsigned char isalias;	/* is this category an alias for another? */
    218 } cat_datum_t;
    219 
    220 typedef struct range_trans {
    221 	uint32_t source_type;
    222 	uint32_t target_type;
    223 	uint32_t target_class;
    224 } range_trans_t;
    225 
    226 /* Boolean data type */
    227 typedef struct cond_bool_datum {
    228 	symtab_datum_t s;
    229 	int state;
    230 #define COND_BOOL_FLAGS_TUNABLE	0x01	/* is this a tunable? */
    231 	uint32_t flags;
    232 } cond_bool_datum_t;
    233 
    234 struct cond_node;
    235 
    236 typedef struct cond_node cond_list_t;
    237 struct cond_av_list;
    238 
    239 typedef struct class_perm_node {
    240 	uint32_t tclass;
    241 	uint32_t data;		/* permissions or new type */
    242 	struct class_perm_node *next;
    243 } class_perm_node_t;
    244 
    245 #define xperm_test(x, p) (1 & (p[x >> 5] >> (x & 0x1f)))
    246 #define xperm_set(x, p) (p[x >> 5] |= (1 << (x & 0x1f)))
    247 #define xperm_clear(x, p) (p[x >> 5] &= ~(1 << (x & 0x1f)))
    248 #define EXTENDED_PERMS_LEN 8
    249 
    250 typedef struct av_extended_perms {
    251 #define AVRULE_XPERMS_IOCTLFUNCTION	0x01
    252 #define AVRULE_XPERMS_IOCTLDRIVER	0x02
    253 	uint8_t specified;
    254 	uint8_t driver;
    255 	/* 256 bits of permissions */
    256 	uint32_t perms[EXTENDED_PERMS_LEN];
    257 } av_extended_perms_t;
    258 
    259 typedef struct avrule {
    260 /* these typedefs are almost exactly the same as those in avtab.h - they are
    261  * here because of the need to include neverallow and dontaudit messages */
    262 #define AVRULE_ALLOWED			AVTAB_ALLOWED
    263 #define AVRULE_AUDITALLOW		AVTAB_AUDITALLOW
    264 #define AVRULE_AUDITDENY		AVTAB_AUDITDENY
    265 #define AVRULE_DONTAUDIT		0x0008
    266 #define AVRULE_NEVERALLOW		AVTAB_NEVERALLOW
    267 #define AVRULE_AV         (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_AUDITDENY | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW)
    268 #define AVRULE_TRANSITION		AVTAB_TRANSITION
    269 #define AVRULE_MEMBER			AVTAB_MEMBER
    270 #define AVRULE_CHANGE			AVTAB_CHANGE
    271 #define AVRULE_TYPE       (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE)
    272 #define AVRULE_XPERMS_ALLOWED 		AVTAB_XPERMS_ALLOWED
    273 #define AVRULE_XPERMS_AUDITALLOW	AVTAB_XPERMS_AUDITALLOW
    274 #define AVRULE_XPERMS_DONTAUDIT		AVTAB_XPERMS_DONTAUDIT
    275 #define AVRULE_XPERMS_NEVERALLOW	AVTAB_XPERMS_NEVERALLOW
    276 #define AVRULE_XPERMS	(AVRULE_XPERMS_ALLOWED | AVRULE_XPERMS_AUDITALLOW | \
    277 				AVRULE_XPERMS_DONTAUDIT | AVRULE_XPERMS_NEVERALLOW)
    278 	uint32_t specified;
    279 #define RULE_SELF 1
    280 	uint32_t flags;
    281 	type_set_t stypes;
    282 	type_set_t ttypes;
    283 	class_perm_node_t *perms;
    284 	av_extended_perms_t *xperms;
    285 	unsigned long line;	/* line number from policy.conf where
    286 				 * this rule originated  */
    287 	/* source file name and line number (e.g. .te file) */
    288 	char *source_filename;
    289 	unsigned long source_line;
    290 	struct avrule *next;
    291 } avrule_t;
    292 
    293 typedef struct role_trans_rule {
    294 	role_set_t roles;	/* current role */
    295 	type_set_t types;	/* program executable type, or new object type */
    296 	ebitmap_t classes;	/* process class, or new object class */
    297 	uint32_t new_role;	/* new role */
    298 	struct role_trans_rule *next;
    299 } role_trans_rule_t;
    300 
    301 typedef struct role_allow_rule {
    302 	role_set_t roles;	/* current role */
    303 	role_set_t new_roles;	/* new roles */
    304 	struct role_allow_rule *next;
    305 } role_allow_rule_t;
    306 
    307 typedef struct filename_trans_rule {
    308 	type_set_t stypes;
    309 	type_set_t ttypes;
    310 	uint32_t tclass;
    311 	char *name;
    312 	uint32_t otype;	/* new type */
    313 	struct filename_trans_rule *next;
    314 } filename_trans_rule_t;
    315 
    316 typedef struct range_trans_rule {
    317 	type_set_t stypes;
    318 	type_set_t ttypes;
    319 	ebitmap_t tclasses;
    320 	mls_semantic_range_t trange;
    321 	struct range_trans_rule *next;
    322 } range_trans_rule_t;
    323 
    324 /*
    325  * The configuration data includes security contexts for
    326  * initial SIDs, unlabeled file systems, TCP and UDP port numbers,
    327  * network interfaces, and nodes.  This structure stores the
    328  * relevant data for one such entry.  Entries of the same kind
    329  * (e.g. all initial SIDs) are linked together into a list.
    330  */
    331 typedef struct ocontext {
    332 	union {
    333 		char *name;	/* name of initial SID, fs, netif, fstype, path */
    334 		struct {
    335 			uint8_t protocol;
    336 			uint16_t low_port;
    337 			uint16_t high_port;
    338 		} port;		/* TCP or UDP port information */
    339 		struct {
    340 			uint32_t addr; /* network order */
    341 			uint32_t mask; /* network order */
    342 		} node;		/* node information */
    343 		struct {
    344 			uint32_t addr[4]; /* network order */
    345 			uint32_t mask[4]; /* network order */
    346 		} node6;	/* IPv6 node information */
    347 		uint32_t device;
    348 		uint16_t pirq;
    349 		struct {
    350 			uint64_t low_iomem;
    351 			uint64_t high_iomem;
    352 		} iomem;
    353 		struct {
    354 			uint32_t low_ioport;
    355 			uint32_t high_ioport;
    356 		} ioport;
    357 	} u;
    358 	union {
    359 		uint32_t sclass;	/* security class for genfs */
    360 		uint32_t behavior;	/* labeling behavior for fs_use */
    361 	} v;
    362 	context_struct_t context[2];	/* security context(s) */
    363 	sepol_security_id_t sid[2];	/* SID(s) */
    364 	struct ocontext *next;
    365 } ocontext_t;
    366 
    367 typedef struct genfs {
    368 	char *fstype;
    369 	struct ocontext *head;
    370 	struct genfs *next;
    371 } genfs_t;
    372 
    373 /* symbol table array indices */
    374 #define SYM_COMMONS 0
    375 #define SYM_CLASSES 1
    376 #define SYM_ROLES   2
    377 #define SYM_TYPES   3
    378 #define SYM_USERS   4
    379 #define SYM_BOOLS   5
    380 #define SYM_LEVELS  6
    381 #define SYM_CATS    7
    382 #define SYM_NUM     8
    383 
    384 /* object context array indices */
    385 #define OCON_ISID  0		/* initial SIDs */
    386 #define OCON_FS    1		/* unlabeled file systems */
    387 #define OCON_PORT  2		/* TCP and UDP port numbers */
    388 #define OCON_NETIF 3		/* network interfaces */
    389 #define OCON_NODE  4		/* nodes */
    390 #define OCON_FSUSE 5		/* fs_use */
    391 #define OCON_NODE6 6		/* IPv6 nodes */
    392 #define OCON_GENFS 7            /* needed for ocontext_supported */
    393 
    394 /* object context array indices for Xen */
    395 #define OCON_XEN_ISID  	    0    /* initial SIDs */
    396 #define OCON_XEN_PIRQ       1    /* physical irqs */
    397 #define OCON_XEN_IOPORT     2    /* io ports */
    398 #define OCON_XEN_IOMEM	    3    /* io memory */
    399 #define OCON_XEN_PCIDEVICE  4    /* pci devices */
    400 #define OCON_XEN_DEVICETREE 5    /* device tree node */
    401 
    402 /* OCON_NUM needs to be the largest index in any platform's ocontext array */
    403 #define OCON_NUM   7
    404 
    405 /* section: module information */
    406 
    407 /* scope_index_t holds all of the symbols that are in scope in a
    408  * particular situation.  The bitmaps are indices (and thus must
    409  * subtract one) into the global policydb->scope array. */
    410 typedef struct scope_index {
    411 	ebitmap_t scope[SYM_NUM];
    412 #define p_classes_scope scope[SYM_CLASSES]
    413 #define p_roles_scope scope[SYM_ROLES]
    414 #define p_types_scope scope[SYM_TYPES]
    415 #define p_users_scope scope[SYM_USERS]
    416 #define p_bools_scope scope[SYM_BOOLS]
    417 #define p_sens_scope scope[SYM_LEVELS]
    418 #define p_cat_scope scope[SYM_CATS]
    419 
    420 	/* this array maps from class->value to the permissions within
    421 	 * scope.  if bit (perm->value - 1) is set in map
    422 	 * class_perms_map[class->value - 1] then that permission is
    423 	 * enabled for this class within this decl.  */
    424 	ebitmap_t *class_perms_map;
    425 	/* total number of classes in class_perms_map array */
    426 	uint32_t class_perms_len;
    427 } scope_index_t;
    428 
    429 /* a list of declarations for a particular avrule_decl */
    430 
    431 /* These two structs declare a block of policy that has TE and RBAC
    432  * statements and declarations.  The root block (the global policy)
    433  * can never have an ELSE branch. */
    434 typedef struct avrule_decl {
    435 	uint32_t decl_id;
    436 	uint32_t enabled;	/* whether this block is enabled */
    437 
    438 	cond_list_t *cond_list;
    439 	avrule_t *avrules;
    440 	role_trans_rule_t *role_tr_rules;
    441 	role_allow_rule_t *role_allow_rules;
    442 	range_trans_rule_t *range_tr_rules;
    443 	scope_index_t required;	/* symbols needed to activate this block */
    444 	scope_index_t declared;	/* symbols declared within this block */
    445 
    446 	/* type transition rules with a 'name' component */
    447 	filename_trans_rule_t *filename_trans_rules;
    448 
    449 	/* for additive statements (type attribute, roles, and users) */
    450 	symtab_t symtab[SYM_NUM];
    451 
    452 	/* In a linked module this will contain the name of the module
    453 	 * from which this avrule_decl originated. */
    454 	char *module_name;
    455 
    456 	struct avrule_decl *next;
    457 } avrule_decl_t;
    458 
    459 typedef struct avrule_block {
    460 	avrule_decl_t *branch_list;
    461 	avrule_decl_t *enabled;	/* pointer to which branch is enabled.  this is
    462 				   used in linking and never written to disk */
    463 #define AVRULE_OPTIONAL 1
    464 	uint32_t flags;		/* any flags for this block, currently just optional */
    465 	struct avrule_block *next;
    466 } avrule_block_t;
    467 
    468 /* Every identifier has its own scope datum.  The datum describes if
    469  * the item is to be included into the final policy during
    470  * expansion. */
    471 typedef struct scope_datum {
    472 /* Required for this decl */
    473 #define SCOPE_REQ  1
    474 /* Declared in this decl */
    475 #define SCOPE_DECL 2
    476 	uint32_t scope;
    477 	uint32_t *decl_ids;
    478 	uint32_t decl_ids_len;
    479 	/* decl_ids is a list of avrule_decl's that declare/require
    480 	 * this symbol.  If scope==SCOPE_DECL then this is a list of
    481 	 * declarations.  If the symbol may only be declared once
    482 	 * (types, bools) then decl_ids_len will be exactly 1.  For
    483 	 * implicitly declared things (roles, users) then decl_ids_len
    484 	 * will be at least 1. */
    485 } scope_datum_t;
    486 
    487 /* The policy database */
    488 typedef struct policydb {
    489 #define POLICY_KERN SEPOL_POLICY_KERN
    490 #define POLICY_BASE SEPOL_POLICY_BASE
    491 #define POLICY_MOD SEPOL_POLICY_MOD
    492 	uint32_t policy_type;
    493 	char *name;
    494 	char *version;
    495 	int  target_platform;
    496 
    497 	/* Set when the policydb is modified such that writing is unsupported */
    498 	int unsupported_format;
    499 
    500 	/* Whether this policydb is mls, should always be set */
    501 	int mls;
    502 
    503 	/* symbol tables */
    504 	symtab_t symtab[SYM_NUM];
    505 #define p_commons symtab[SYM_COMMONS]
    506 #define p_classes symtab[SYM_CLASSES]
    507 #define p_roles symtab[SYM_ROLES]
    508 #define p_types symtab[SYM_TYPES]
    509 #define p_users symtab[SYM_USERS]
    510 #define p_bools symtab[SYM_BOOLS]
    511 #define p_levels symtab[SYM_LEVELS]
    512 #define p_cats symtab[SYM_CATS]
    513 
    514 	/* symbol names indexed by (value - 1) */
    515 	char **sym_val_to_name[SYM_NUM];
    516 #define p_common_val_to_name sym_val_to_name[SYM_COMMONS]
    517 #define p_class_val_to_name sym_val_to_name[SYM_CLASSES]
    518 #define p_role_val_to_name sym_val_to_name[SYM_ROLES]
    519 #define p_type_val_to_name sym_val_to_name[SYM_TYPES]
    520 #define p_user_val_to_name sym_val_to_name[SYM_USERS]
    521 #define p_bool_val_to_name sym_val_to_name[SYM_BOOLS]
    522 #define p_sens_val_to_name sym_val_to_name[SYM_LEVELS]
    523 #define p_cat_val_to_name sym_val_to_name[SYM_CATS]
    524 
    525 	/* class, role, and user attributes indexed by (value - 1) */
    526 	class_datum_t **class_val_to_struct;
    527 	role_datum_t **role_val_to_struct;
    528 	user_datum_t **user_val_to_struct;
    529 	type_datum_t **type_val_to_struct;
    530 
    531 	/* module stuff section -- used in parsing and for modules */
    532 
    533 	/* keep track of the scope for every identifier.  these are
    534 	 * hash tables, where the key is the identifier name and value
    535 	 * a scope_datum_t.  as a convenience, one may use the
    536 	 * p_*_macros (cf. struct scope_index_t declaration). */
    537 	symtab_t scope[SYM_NUM];
    538 
    539 	/* module rule storage */
    540 	avrule_block_t *global;
    541 	/* avrule_decl index used for link/expand */
    542 	avrule_decl_t **decl_val_to_struct;
    543 
    544 	/* compiled storage of rules - use for the kernel policy */
    545 
    546 	/* type enforcement access vectors and transitions */
    547 	avtab_t te_avtab;
    548 
    549 	/* bools indexed by (value - 1) */
    550 	cond_bool_datum_t **bool_val_to_struct;
    551 	/* type enforcement conditional access vectors and transitions */
    552 	avtab_t te_cond_avtab;
    553 	/* linked list indexing te_cond_avtab by conditional */
    554 	cond_list_t *cond_list;
    555 
    556 	/* role transitions */
    557 	role_trans_t *role_tr;
    558 
    559 	/* role allows */
    560 	role_allow_t *role_allow;
    561 
    562 	/* security contexts of initial SIDs, unlabeled file systems,
    563 	   TCP or UDP port numbers, network interfaces and nodes */
    564 	ocontext_t *ocontexts[OCON_NUM];
    565 
    566 	/* security contexts for files in filesystems that cannot support
    567 	   a persistent label mapping or use another
    568 	   fixed labeling behavior. */
    569 	genfs_t *genfs;
    570 
    571 	/* range transitions table (range_trans_key -> mls_range) */
    572 	hashtab_t range_tr;
    573 
    574 	/* file transitions with the last path component */
    575 	hashtab_t filename_trans;
    576 
    577 	ebitmap_t *type_attr_map;
    578 
    579 	ebitmap_t *attr_type_map;	/* not saved in the binary policy */
    580 
    581 	ebitmap_t policycaps;
    582 
    583 	/* this bitmap is referenced by type NOT the typical type-1 used in other
    584 	   bitmaps.  Someday the 0 bit may be used for global permissive */
    585 	ebitmap_t permissive_map;
    586 
    587 	unsigned policyvers;
    588 
    589 	unsigned handle_unknown;
    590 } policydb_t;
    591 
    592 struct sepol_policydb {
    593 	struct policydb p;
    594 };
    595 
    596 extern int policydb_init(policydb_t * p);
    597 
    598 extern int policydb_from_image(sepol_handle_t * handle,
    599 			       void *data, size_t len, policydb_t * policydb);
    600 
    601 extern int policydb_to_image(sepol_handle_t * handle,
    602 			     policydb_t * policydb, void **newdata,
    603 			     size_t * newlen);
    604 
    605 extern int policydb_index_classes(policydb_t * p);
    606 
    607 extern int policydb_index_bools(policydb_t * p);
    608 
    609 extern int policydb_index_others(sepol_handle_t * handle, policydb_t * p,
    610 				 unsigned int verbose);
    611 
    612 extern int policydb_role_cache(hashtab_key_t key,
    613 			       hashtab_datum_t datum,
    614 			       void *arg);
    615 
    616 extern int policydb_user_cache(hashtab_key_t key,
    617 			       hashtab_datum_t datum,
    618 			       void *arg);
    619 
    620 extern int policydb_reindex_users(policydb_t * p);
    621 
    622 extern void policydb_destroy(policydb_t * p);
    623 
    624 extern int policydb_load_isids(policydb_t * p, sidtab_t * s);
    625 
    626 /* Deprecated */
    627 extern int policydb_context_isvalid(const policydb_t * p,
    628 				    const context_struct_t * c);
    629 
    630 extern void symtabs_destroy(symtab_t * symtab);
    631 extern int scope_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p);
    632 typedef void (*hashtab_destroy_func_t) (hashtab_key_t k, hashtab_datum_t d,
    633 					void *args);
    634 extern hashtab_destroy_func_t get_symtab_destroy_func(int sym_num);
    635 
    636 extern void class_perm_node_init(class_perm_node_t * x);
    637 extern void type_set_init(type_set_t * x);
    638 extern void type_set_destroy(type_set_t * x);
    639 extern int type_set_cpy(type_set_t * dst, type_set_t * src);
    640 extern int type_set_or_eq(type_set_t * dst, type_set_t * other);
    641 extern void role_set_init(role_set_t * x);
    642 extern void role_set_destroy(role_set_t * x);
    643 extern void avrule_init(avrule_t * x);
    644 extern void avrule_destroy(avrule_t * x);
    645 extern void avrule_list_destroy(avrule_t * x);
    646 extern void role_trans_rule_init(role_trans_rule_t * x);
    647 extern void role_trans_rule_list_destroy(role_trans_rule_t * x);
    648 extern void filename_trans_rule_init(filename_trans_rule_t * x);
    649 extern void filename_trans_rule_list_destroy(filename_trans_rule_t * x);
    650 
    651 extern void role_datum_init(role_datum_t * x);
    652 extern void role_datum_destroy(role_datum_t * x);
    653 extern void role_allow_rule_init(role_allow_rule_t * x);
    654 extern void role_allow_rule_destroy(role_allow_rule_t * x);
    655 extern void role_allow_rule_list_destroy(role_allow_rule_t * x);
    656 extern void range_trans_rule_init(range_trans_rule_t *x);
    657 extern void range_trans_rule_destroy(range_trans_rule_t *x);
    658 extern void range_trans_rule_list_destroy(range_trans_rule_t *x);
    659 extern void type_datum_init(type_datum_t * x);
    660 extern void type_datum_destroy(type_datum_t * x);
    661 extern void user_datum_init(user_datum_t * x);
    662 extern void user_datum_destroy(user_datum_t * x);
    663 extern void level_datum_init(level_datum_t * x);
    664 extern void level_datum_destroy(level_datum_t * x);
    665 extern void cat_datum_init(cat_datum_t * x);
    666 extern void cat_datum_destroy(cat_datum_t * x);
    667 extern int check_assertion(policydb_t *p, avrule_t *avrule);
    668 extern int check_assertions(sepol_handle_t * handle,
    669 			    policydb_t * p, avrule_t * avrules);
    670 
    671 extern int symtab_insert(policydb_t * x, uint32_t sym,
    672 			 hashtab_key_t key, hashtab_datum_t datum,
    673 			 uint32_t scope, uint32_t avrule_decl_id,
    674 			 uint32_t * value);
    675 
    676 /* A policy "file" may be a memory region referenced by a (data, len) pair
    677    or a file referenced by a FILE pointer. */
    678 typedef struct policy_file {
    679 #define PF_USE_MEMORY  0
    680 #define PF_USE_STDIO   1
    681 #define PF_LEN         2	/* total up length in len field */
    682 	unsigned type;
    683 	char *data;
    684 	size_t len;
    685 	size_t size;
    686 	FILE *fp;
    687 	struct sepol_handle *handle;
    688 } policy_file_t;
    689 
    690 struct sepol_policy_file {
    691 	struct policy_file pf;
    692 };
    693 
    694 extern void policy_file_init(policy_file_t * x);
    695 
    696 extern int policydb_read(policydb_t * p, struct policy_file *fp,
    697 			 unsigned int verbose);
    698 extern int avrule_read_list(policydb_t * p, avrule_t ** avrules,
    699 			    struct policy_file *fp);
    700 
    701 extern int policydb_write(struct policydb *p, struct policy_file *pf);
    702 extern int policydb_set_target_platform(policydb_t *p, int platform);
    703 
    704 #define PERM_SYMTAB_SIZE 32
    705 
    706 /* Identify specific policy version changes */
    707 #define POLICYDB_VERSION_BASE		15
    708 #define POLICYDB_VERSION_BOOL		16
    709 #define POLICYDB_VERSION_IPV6		17
    710 #define POLICYDB_VERSION_NLCLASS	18
    711 #define POLICYDB_VERSION_VALIDATETRANS	19
    712 #define POLICYDB_VERSION_MLS		19
    713 #define POLICYDB_VERSION_AVTAB		20
    714 #define POLICYDB_VERSION_RANGETRANS	21
    715 #define POLICYDB_VERSION_POLCAP		22
    716 #define POLICYDB_VERSION_PERMISSIVE	23
    717 #define POLICYDB_VERSION_BOUNDARY	24
    718 #define POLICYDB_VERSION_FILENAME_TRANS	25
    719 #define POLICYDB_VERSION_ROLETRANS	26
    720 #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS	27
    721 #define POLICYDB_VERSION_DEFAULT_TYPE	28
    722 #define POLICYDB_VERSION_CONSTRAINT_NAMES	29
    723 #define POLICYDB_VERSION_XEN_DEVICETREE		30 /* Xen-specific */
    724 #define POLICYDB_VERSION_XPERMS_IOCTL	30 /* Linux-specific */
    725 
    726 /* Range of policy versions we understand*/
    727 #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
    728 #define POLICYDB_VERSION_MAX	POLICYDB_VERSION_XPERMS_IOCTL
    729 
    730 /* Module versions and specific changes*/
    731 #define MOD_POLICYDB_VERSION_BASE		4
    732 #define MOD_POLICYDB_VERSION_VALIDATETRANS	5
    733 #define MOD_POLICYDB_VERSION_MLS		5
    734 #define MOD_POLICYDB_VERSION_RANGETRANS 	6
    735 #define MOD_POLICYDB_VERSION_MLS_USERS		6
    736 #define MOD_POLICYDB_VERSION_POLCAP		7
    737 #define MOD_POLICYDB_VERSION_PERMISSIVE		8
    738 #define MOD_POLICYDB_VERSION_BOUNDARY		9
    739 #define MOD_POLICYDB_VERSION_BOUNDARY_ALIAS	10
    740 #define MOD_POLICYDB_VERSION_FILENAME_TRANS	11
    741 #define MOD_POLICYDB_VERSION_ROLETRANS		12
    742 #define MOD_POLICYDB_VERSION_ROLEATTRIB		13
    743 #define MOD_POLICYDB_VERSION_TUNABLE_SEP	14
    744 #define MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS	15
    745 #define MOD_POLICYDB_VERSION_DEFAULT_TYPE	16
    746 #define MOD_POLICYDB_VERSION_CONSTRAINT_NAMES  17
    747 
    748 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
    749 #define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_CONSTRAINT_NAMES
    750 
    751 #define POLICYDB_CONFIG_MLS    1
    752 
    753 /* macros to check policy feature */
    754 
    755 /* TODO: add other features here */
    756 
    757 #define policydb_has_boundary_feature(p)			\
    758 	(((p)->policy_type == POLICY_KERN			\
    759 	  && p->policyvers >= POLICYDB_VERSION_BOUNDARY) ||	\
    760 	 ((p)->policy_type != POLICY_KERN			\
    761 	  && p->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY))
    762 
    763 /* the config flags related to unknown classes/perms are bits 2 and 3 */
    764 #define DENY_UNKNOWN	SEPOL_DENY_UNKNOWN
    765 #define REJECT_UNKNOWN	SEPOL_REJECT_UNKNOWN
    766 #define ALLOW_UNKNOWN 	SEPOL_ALLOW_UNKNOWN
    767 
    768 #define POLICYDB_CONFIG_UNKNOWN_MASK	(DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
    769 
    770 #define OBJECT_R "object_r"
    771 #define OBJECT_R_VAL 1
    772 
    773 #define POLICYDB_MAGIC SELINUX_MAGIC
    774 #define POLICYDB_STRING "SE Linux"
    775 #define POLICYDB_XEN_STRING "XenFlask"
    776 #define POLICYDB_STRING_MAX_LENGTH 32
    777 #define POLICYDB_MOD_MAGIC SELINUX_MOD_MAGIC
    778 #define POLICYDB_MOD_STRING "SE Linux Module"
    779 
    780 #ifdef __cplusplus
    781 }
    782 #endif
    783 
    784 #endif				/* _POLICYDB_H_ */
    785 
    786 /* FLASK */
    787