| Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1 | /* Author : Joshua Brindle <jbrindle@tresys.com> |
| 2 | * Karl MacMillan <kmacmillan@tresys.com> |
| 3 | * Jason Tang <jtang@tresys.com> |
| 4 | * Added support for binary policy modules |
| 5 | * |
| 6 | * Copyright (C) 2004 - 2005 Tresys Technology, LLC |
| 7 | * This program is free software; you can redistribute it and/or modify |
| 8 | * it under the terms of the GNU General Public License as published by |
| 9 | * the Free Software Foundation, version 2. |
| 10 | */ |
| 11 | |
| 12 | #ifndef MODULE_COMPILER_H |
| 13 | #define MODULE_COMPILER_H |
| 14 | |
| 15 | #include <sepol/policydb/hashtab.h> |
| 16 | |
| 17 | /* Called when checkpolicy begins to parse a policy -- either at the |
| 18 | * very beginning for a kernel/base policy, or after the module header |
| 19 | * for policy modules. Initialize the memory structures within. |
| 20 | * Return 0 on success, -1 on error. */ |
| 21 | int define_policy(int pass, int module_header_given); |
| 22 | |
| 23 | /* Declare a symbol declaration to the current avrule_decl. Check |
| 24 | * that insertion is allowed here and that the symbol does not already |
| 25 | * exist. Returns 0 on success, 1 if symbol was already there (caller |
| 26 | * needs to free() the datum), -1 if declarations not allowed, -2 for |
| 27 | * duplicate declarations, -3 for all else. |
| 28 | */ |
| 29 | int declare_symbol(uint32_t symbol_type, |
| 30 | hashtab_key_t key, hashtab_datum_t datum, |
| 31 | uint32_t * dest_value, uint32_t * datum_value); |
| 32 | |
| Harry Ciao | 16675b7 | 2011-07-25 09:23:54 +0800 | [diff] [blame^] | 33 | role_datum_t *declare_role(unsigned char isattr); |
| Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 34 | type_datum_t *declare_type(unsigned char primary, unsigned char isattr); |
| 35 | user_datum_t *declare_user(void); |
| 36 | |
| 37 | type_datum_t *get_local_type(char *id, uint32_t value, unsigned char isattr); |
| Harry Ciao | 16675b7 | 2011-07-25 09:23:54 +0800 | [diff] [blame^] | 38 | role_datum_t *get_local_role(char *id, uint32_t value, unsigned char isattr); |
| Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 39 | |
| 40 | /* Add a symbol to the current avrule_block's require section. Note |
| 41 | * that a module may not both declare and require the same symbol. |
| 42 | * Returns 0 on success, -1 on error. */ |
| 43 | int require_symbol(uint32_t symbol_type, |
| 44 | hashtab_key_t key, hashtab_datum_t datum, |
| 45 | uint32_t * dest_value, uint32_t * datum_value); |
| 46 | |
| 47 | /* Enable a permission for a class within the current avrule_decl. |
| 48 | * Return 0 on success, -1 if out of memory. */ |
| 49 | int add_perm_to_class(uint32_t perm_value, uint32_t class_value); |
| 50 | |
| 51 | /* Functions called from REQUIRE blocks. Add the first symbol on the |
| 52 | * id_queue to this avrule_decl's scope if not already there. |
| 53 | * c.f. require_symbol(). */ |
| 54 | int require_class(int pass); |
| 55 | int require_role(int pass); |
| 56 | int require_type(int pass); |
| 57 | int require_attribute(int pass); |
| Harry Ciao | 16675b7 | 2011-07-25 09:23:54 +0800 | [diff] [blame^] | 58 | int require_attribute_role(int pass); |
| Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 59 | int require_user(int pass); |
| 60 | int require_bool(int pass); |
| 61 | int require_sens(int pass); |
| 62 | int require_cat(int pass); |
| 63 | |
| 64 | /* Check if an identifier is within the scope of the current |
| 65 | * declaration or any of its parents. Return 1 if it is, 0 if not. |
| 66 | * If the identifier is not known at all then return 1 (truth). */ |
| 67 | int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id); |
| 68 | |
| 69 | /* Check if a particular permission is within the scope of the current |
| 70 | * declaration or any of its parents. Return 1 if it is, 0 if not. |
| 71 | * If the identifier is not known at all then return 1 (truth). */ |
| 72 | int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id); |
| 73 | |
| 74 | /* Search the current avrules block for a conditional with the same |
| 75 | * expression as 'cond'. If the conditional does not exist then |
| 76 | * create one. Either way, return the conditional. */ |
| 77 | cond_list_t *get_current_cond_list(cond_list_t * cond); |
| 78 | |
| 79 | /* Append rule to the current avrule_block. */ |
| 80 | void append_cond_list(cond_list_t * cond); |
| 81 | void append_avrule(avrule_t * avrule); |
| 82 | void append_role_trans(role_trans_rule_t * role_tr_rules); |
| 83 | void append_role_allow(role_allow_rule_t * role_allow_rules); |
| 84 | void append_range_trans(range_trans_rule_t * range_tr_rules); |
| Eric Paris | 516cb2a | 2011-03-28 14:00:19 -0400 | [diff] [blame] | 85 | void append_filename_trans(filename_trans_rule_t * filename_trans_rules); |
| Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 86 | |
| 87 | /* Create a new optional block and add it to the global policy. |
| 88 | * During the second pass resolve the block's requirements. Return 0 |
| 89 | * on success, -1 on error. |
| 90 | */ |
| 91 | int begin_optional(int pass); |
| 92 | int end_optional(int pass); |
| 93 | |
| 94 | /* ELSE blocks are similar to normal blocks with the following two |
| 95 | * limitations: |
| 96 | * - no declarations are allowed within else branches |
| 97 | * - no REQUIRES are allowed; the else branch inherits the parent's |
| 98 | * requirements |
| 99 | */ |
| 100 | int begin_optional_else(int pass); |
| 101 | |
| 102 | /* Called whenever existing an avrule block. Check that the block had |
| 103 | * a non-empty REQUIRE section. If so pop the block off of the scop |
| 104 | * stack and return 0. If not then send an error to yyerror and |
| 105 | * return -1. */ |
| 106 | int end_avrule_block(int pass); |
| 107 | |
| 108 | #endif |