/* SPDX-License-Identifier: GPL-2.0-only */ /* * A policy database (policydb) specifies the * configuration data for the security policy. * * Author : Stephen Smalley, <[email protected]> */ /* * Updated: Trusted Computer Solutions, Inc. <[email protected]> * Support for enhanced MLS infrastructure. * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. * * Updated: Frank Mayer <[email protected]> and * Karl MacMillan <[email protected]> * Added conditional policy language extensions * Copyright (C) 2003-2004 Tresys Technology, LLC */ #ifndef _SS_POLICYDB_H_ #define _SS_POLICYDB_H_ #include "symtab.h" #include "avtab.h" #include "sidtab.h" #include "ebitmap.h" #include "mls_types.h" #include "context.h" #include "constraint.h" /* * A datum type is defined for each kind of symbol * in the configuration data: individual permissions, * common prefixes for access vectors, classes, * users, roles, types, sensitivities, categories, etc. */ /* Permission attributes */ struct perm_datum { … }; /* Attributes of a common prefix for access vectors */ struct common_datum { … }; /* Class attributes */ struct class_datum { … }; /* Role attributes */ struct role_datum { … }; struct role_trans_key { … }; struct role_trans_datum { … }; struct filename_trans_key { … }; struct filename_trans_datum { … }; struct role_allow { … }; /* Type attributes */ struct type_datum { … }; /* User attributes */ struct user_datum { … }; /* Sensitivity attributes */ struct level_datum { … }; /* Category attributes */ struct cat_datum { … }; struct range_trans { … }; /* Boolean data type */ struct cond_bool_datum { … }; struct cond_node; /* * type set preserves data needed to determine constraint info from * policy source. This is not used by the kernel policy but allows * utilities such as audit2allow to determine constraint denials. */ struct type_set { … }; /* * The configuration data includes security contexts for * initial SIDs, unlabeled file systems, TCP and UDP port numbers, * network interfaces, and nodes. This structure stores the * relevant data for one such entry. Entries of the same kind * (e.g. all initial SIDs) are linked together into a list. */ struct ocontext { … }; struct genfs { … }; /* symbol table array indices */ #define SYM_COMMONS … #define SYM_CLASSES … #define SYM_ROLES … #define SYM_TYPES … #define SYM_USERS … #define SYM_BOOLS … #define SYM_LEVELS … #define SYM_CATS … #define SYM_NUM … /* object context array indices */ #define OCON_ISID … #define OCON_FS … #define OCON_PORT … #define OCON_NETIF … #define OCON_NODE … #define OCON_FSUSE … #define OCON_NODE6 … #define OCON_IBPKEY … #define OCON_IBENDPORT … #define OCON_NUM … /* The policy database */ struct policydb { … } __randomize_layout; extern void policydb_destroy(struct policydb *p); extern int policydb_load_isids(struct policydb *p, struct sidtab *s); extern int policydb_context_isvalid(struct policydb *p, struct context *c); extern int policydb_class_isvalid(struct policydb *p, unsigned int class); extern int policydb_type_isvalid(struct policydb *p, unsigned int type); extern int policydb_role_isvalid(struct policydb *p, unsigned int role); extern int policydb_read(struct policydb *p, void *fp); extern int policydb_write(struct policydb *p, void *fp); extern struct filename_trans_datum * policydb_filenametr_search(struct policydb *p, struct filename_trans_key *key); extern struct mls_range *policydb_rangetr_search(struct policydb *p, struct range_trans *key); extern struct role_trans_datum * policydb_roletr_search(struct policydb *p, struct role_trans_key *key); #define POLICYDB_CONFIG_MLS … /* the config flags related to unknown classes/perms are bits 2 and 3 */ #define REJECT_UNKNOWN … #define ALLOW_UNKNOWN … #define OBJECT_R … #define OBJECT_R_VAL … #define POLICYDB_MAGIC … #define POLICYDB_STRING … struct policy_file { … }; struct policy_data { … }; static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes) { … } static inline int put_entry(const void *buf, size_t bytes, size_t num, struct policy_file *fp) { … } static inline char *sym_name(struct policydb *p, unsigned int sym_num, unsigned int element_nr) { … } extern u16 string_to_security_class(struct policydb *p, const char *name); extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name); #endif /* _SS_POLICYDB_H_ */
Codebase Browser
linux