RepoMirrors/setools
1
0
Fork 0
mirror of https://github.com/SELinuxProject/setools synced 2025-03-29 14:56:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
23d42f162f
setools/libqpol/include/qpol/policy.h
Chris PeBenito 3e2cf79f81 Additional C cleanups.
2018-06-15 20:26:49 -04:00

217 lines
7.8 KiB
C
Raw Blame History

/**
* @file
* Defines the public interface the QPol policy.
*
* @author Jeremy A. Mowery jmowery@tresys.com
* @author Jason Tang jtang@tresys.com
* @author Brandon Whalen bwhalen@tresys.com
*
* Copyright (C) 2006-2008 Tresys Technology, LLC
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#ifndef QPOL_POLICY_H
#define QPOL_POLICY_H
#ifdef __cplusplus
extern "C"
{
#endif
#include <stdarg.h>
#include <stdint.h>
typedef struct qpol_policy qpol_policy_t;
#include <qpol/avrule_query.h>
#include <qpol/bool_query.h>
#include <qpol/class_perm_query.h>
#include <qpol/cond_query.h>
#include <qpol/constraint_query.h>
#include <qpol/context_query.h>
#include <qpol/fs_use_query.h>
#include <qpol/isid_query.h>
#include <qpol/iterator.h>
#include <qpol/genfscon_query.h>
#include <qpol/mls_query.h>
#include <qpol/mlsrule_query.h>
#include <qpol/netifcon_query.h>
#include <qpol/nodecon_query.h>
#include <qpol/permissive_query.h>
#include <qpol/bounds_query.h>
#include <qpol/default_object_query.h>
#include <qpol/polcap_query.h>
#include <qpol/portcon_query.h>
#include <qpol/rbacrule_query.h>
#include <qpol/ftrule_query.h>
#include <qpol/role_query.h>
#include <qpol/terule_query.h>
#include <qpol/type_query.h>
#include <qpol/user_query.h>
#include <qpol/xen_query.h>
typedef void (*qpol_callback_fn_t)
(void *varg, const struct qpol_policy * policy, int level,
const char *msg);
#define QPOL_POLICY_UNKNOWN -1
#define QPOL_POLICY_KERNEL_SOURCE 0
#define QPOL_POLICY_KERNEL_BINARY 1
#define QPOL_POLICY_MODULE_BINARY 2
/**
* When loading the policy, do not load neverallow rules.
*/
#define QPOL_POLICY_OPTION_NO_NEVERALLOWS 0x00000001
/**
* When loading the policy, do not load any rules;
* this option implies QPOL_POLICY_OPTION_NO_NEVERALLOWS.
*/
#define QPOL_POLICY_OPTION_NO_RULES 0x00000002
/**
* List of capabilities a policy may have. This list represents
* features of policy that may differ from version to version or
* based upon the format of the policy file. Note that "polcaps" in
* this case refers to "policy capabilities" that were introduced
* with version 22 policies.
*/
typedef enum qpol_capability
{
/** The policy format stores the names of attributes. */
QPOL_CAP_ATTRIB_NAMES,
/** The policy format stores the syntactic rule type sets. */
QPOL_CAP_SYN_RULES,
/** The policy format stores rule line numbers (implies QPOL_CAP_SYN_RULES). */
QPOL_CAP_LINE_NUMBERS,
/** The policy version supports booleans and conditional statements. */
QPOL_CAP_CONDITIONALS,
/** The policy version supports MLS components and statements. */
QPOL_CAP_MLS,
/** The policy version has policy capabilities (polcaps). */
QPOL_CAP_POLCAPS,
/** The policy format supports linking loadable modules. */
QPOL_CAP_MODULES,
/** The policy was loaded with av/te rules. */
QPOL_CAP_RULES_LOADED,
/** The policy source may be displayed. */
QPOL_CAP_SOURCE,
/** The policy supports and was loaded with neverallow rules. */
QPOL_CAP_NEVERALLOW,
/** The policy supports bounds rules. */
QPOL_CAP_BOUNDS,
/** The policy supports default object rules. */
QPOL_CAP_DEFAULT_OBJECTS,
QPOL_CAP_DEFAULT_TYPE,
/** The policy supports permissive types. */
QPOL_CAP_PERMISSIVE,
/** The policy supports filename type_transition rules. */
QPOL_CAP_FILENAME_TRANS,
/** The policy supports role transition rules. */
QPOL_CAP_ROLETRANS,
/** The policy supports ioctl extended permissions. */
QPOL_CAP_XPERM_IOCTL
} qpol_capability_e;
/**
* Open a policy from a passed in file path.
* @param filename The name of the file to open.
* @param policy The policy to populate. The caller should not free
* this pointer.
* @param fn (Optional) If non-NULL, the callback to be used by the handle.
* @param varg (Optional) The argument needed by the handle callback.
* @param options Options to control loading only portions of a policy;
* must be a bitwise-or'd set of QPOL_POLICY_OPTION_* from above.
* @return Returns one of QPOL_POLICY_KERNEL_SOURCE,
* QPOL_POLICY_KERNEL_BINARY, or QPOL_POLICY_MODULE_BINARY on success
* and < 0 on failure; if the call fails, errno will be set and
* *policy will be NULL.
*/
extern int qpol_policy_open_from_file(const char *filename, qpol_policy_t ** policy, qpol_callback_fn_t fn, void *varg,
const int options);
/**
* Close a policy and deallocate its memory. Does nothing if it is
* already NULL.
* @param policy Reference to the policy to close. The pointer will
* be set to NULL afterwards.
*/
extern void qpol_policy_destroy(qpol_policy_t ** policy);
/**
* Re-evaluate all conditionals in the policy updating the state
* and setting the appropriate rule list as emabled for each.
* This call modifies the policy.
* @param policy The policy for which to re-evaluate the conditionals.
* This policy will be modified by this function.
* @return 0 on success and < 0 on failure; if the call fails,
* errno will be set. On failure, the policy state may be inconsistent.
*/
extern int qpol_policy_reevaluate_conds(qpol_policy_t * policy);
/**
* Get the version number of the policy.
* @param policy The policy for which to get the version.
* @param version Pointer to the integer to set to the version number.
* @return Returns 0 on success and < 0 on failure; if the call fails,
* errno will be set and *version will be 0.
*/
extern int qpol_policy_get_policy_version(const qpol_policy_t * policy, unsigned int *version);
/**
* Get the type of policy (source, binary, or module).
* @param policy The policy from which to get the type.
* @param type Pointer to the integer in which to store the type.
* Value will be one of QPOL_POLICY_* from above.
* @return 0 on success and < 0 on failure; if the call fails,
* errno will be set and *type will be QPOL_POLICY_UNKNOWN.
*/
extern int qpol_policy_get_type(const qpol_policy_t * policy, int *type);
/**
* Determine if a policy has support for a specific capability.
* @param policy The policy to check.
* @param cap The capability for which to check. Must be one of QPOL_CAP_*
* defined above.
* @return Non-zero if the policy has the specified capability, and zero otherwise.
*/
extern int qpol_policy_has_capability(const qpol_policy_t * policy, qpol_capability_e cap);
/**
* Get the handle_unknown classes/perms flag for the policy.
* @param policy The policy for which to get the version.
* @param handle_unknown Pointer to the integer to set to the version number.
* @return Returns 0 on success and < 0 on failure; if the call fails,
* errno will be set and *handle_unknown will be 0.
*/
extern int qpol_policy_get_policy_handle_unknown(const qpol_policy_t * policy, unsigned int *handle_unknown);
/**
* Get target platform (SELinux or XEN) of the policy.
* @param policy The policy for which to get the target.
* @param target_platform Pointer to the target.
* @return Returns 0 on success and < 0 on failure; if the call fails,
* errno will be set and *target_platform will be 0.
*/
extern int qpol_policy_get_target_platform(const qpol_policy_t *policy,
int *target_platform);
#ifdef __cplusplus
}
#endif
#endif
Reference in New Issue View Git Blame Copy Permalink