selinux/checkpolicy/policy_define.h

75 lines
2.7 KiB
C
Raw Normal View History

/* Functions used to define policy grammar components. */
#ifndef _POLICY_DEFINE_H_
#define _POLICY_DEFINE_H_
/*
* We need the following so we have a valid error return code in yacc
* when we have a parse error for a conditional rule. We can't check
* for NULL (ie 0) because that is a potentially valid return.
*/
#define COND_ERR ((avrule_t *)-1)
#define TRUE 1
#define FALSE 0
avrule_t *define_cond_compute_type(int which);
avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt);
avrule_t *define_cond_te_avtab(int which);
avrule_t *define_cond_filename_trans(void);
cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void* arg2);
int define_attrib(void);
int define_attrib_role(void);
int define_av_perms(int inherits);
int define_bool_tunable(int is_tunable);
int define_category(void);
int define_class(void);
int define_default_user(int which);
int define_default_role(int which);
int define_default_type(int which);
int define_default_range(int which);
int define_common_perms(void);
int define_compute_type(int which);
int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list );
int define_constraint(constraint_expr_t *expr);
int define_dominance(void);
int define_fs_context(unsigned int major, unsigned int minor);
int define_fs_use(int behavior);
int define_genfs_context(int has_type);
int define_initial_sid_context(void);
int define_initial_sid(void);
int define_ipv4_node_context(void);
int define_ipv6_node_context(void);
int define_level(void);
int define_netif_context(void);
int define_permissive(void);
int define_polcap(void);
int define_port_context(unsigned int low, unsigned int high);
int define_pirq_context(unsigned int pirq);
int define_iomem_context(uint64_t low, uint64_t high);
int define_ioport_context(unsigned long low, unsigned long high);
int define_pcidevice_context(unsigned long device);
int define_devicetree_context(void);
int define_range_trans(int class_specified);
int define_role_allow(void);
int define_role_trans(int class_specified);
int define_role_types(void);
int define_role_attr(void);
int define_roleattribute(void);
int define_filename_trans(void);
int define_sens(void);
int define_te_avtab(int which);
Add support for ioctl command whitelisting Adds support for new policy statements whitelisting individual ioctl commands. Ioctls provide many of the operations necessary for driver control. The typical driver supports a device specific set of operations accessible by the ioctl system call and specified by the command argument. SELinux provides per operation access control to many system operations e.g. chown, kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per file descriptor basis using the ioctl permission, meaning that the set of operations provided by the driver are granted on an all-or-nothing basis. In some cases this may be acceptable, but often the same driver provides a large and diverse set of operations such as benign and necessary functionality as well as dangerous capabilities or access to system information that should be restricted. Example policy: allow <source> <target>:<class> { 0x8900-0x8905 0x8910 } auditallow <source> <target>:<class> 0x8901 The ioctl permission is still required in order to make an ioctl call. If no individual ioctl commands are specified, only the ioctl permission is checked by the kernel - i.e. status quo. This allows ioctl whitelisting to done in a targeted manner, protecting desired drivers without requiring every ioctl command to be known and specified before use and otherwise allowing existing policy to be used as-is. This only implements ioctl whitelisting support for monolithic kernel policies built via checkpolicy. Support for modules and CIL remains to be done. Bug: 19419509 Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970 Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-22 20:53:25 +00:00
int define_te_avtab_operation(int which);
int define_typealias(void);
int define_typeattribute(void);
int define_typebounds(void);
int define_type(int alias);
int define_user(void);
int define_validatetrans(constraint_expr_t *expr);
int insert_id(const char *id,int push);
int insert_separator(int push);
role_datum_t *define_role_dom(role_datum_t *r);
role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2);
uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2);
#endif /* _POLICY_DEFINE_H_ */