selinux/checkpolicy/module_compiler.h
Harry Ciao 16675b7f96 Add role attribute support when compiling modules.
1. Add a uint32_t "flavor" field and an ebitmap "roles" to the
role_datum_t structure;

2. Add a new "attribute_role" statement and its handler to declare
a role attribute;

3. Modify declare_role() to setup role_datum_t.flavor according
to the isattr argument;

4. Add a new "roleattribute" rule and its handler, which will record
the regular role's (policy value - 1) into the role attribute's
role_datum_t.roles ebitmap;

5. Modify the syntax for the role-types rule only to define the
role-type associations;

6. Add a new role-attr rule to support the declaration of a single
role, and optionally the role attribute that the role belongs to;

7. Check if the new_role used in role-transition rule is a regular role;

8. Support to require a role attribute;

9. Modify symtab_insert() to allow multiple declarations only for
the regular role, while a role attribute can't be declared more than once
and can't share a same name with another regular role.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-07-25 10:09:27 -04:00

109 lines
4.4 KiB
C

/* Author : Joshua Brindle <jbrindle@tresys.com>
* Karl MacMillan <kmacmillan@tresys.com>
* Jason Tang <jtang@tresys.com>
* Added support for binary policy modules
*
* Copyright (C) 2004 - 2005 Tresys Technology, LLC
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
*/
#ifndef MODULE_COMPILER_H
#define MODULE_COMPILER_H
#include <sepol/policydb/hashtab.h>
/* Called when checkpolicy begins to parse a policy -- either at the
* very beginning for a kernel/base policy, or after the module header
* for policy modules. Initialize the memory structures within.
* Return 0 on success, -1 on error. */
int define_policy(int pass, int module_header_given);
/* Declare a symbol declaration to the current avrule_decl. Check
* that insertion is allowed here and that the symbol does not already
* exist. Returns 0 on success, 1 if symbol was already there (caller
* needs to free() the datum), -1 if declarations not allowed, -2 for
* duplicate declarations, -3 for all else.
*/
int declare_symbol(uint32_t symbol_type,
hashtab_key_t key, hashtab_datum_t datum,
uint32_t * dest_value, uint32_t * datum_value);
role_datum_t *declare_role(unsigned char isattr);
type_datum_t *declare_type(unsigned char primary, unsigned char isattr);
user_datum_t *declare_user(void);
type_datum_t *get_local_type(char *id, uint32_t value, unsigned char isattr);
role_datum_t *get_local_role(char *id, uint32_t value, unsigned char isattr);
/* Add a symbol to the current avrule_block's require section. Note
* that a module may not both declare and require the same symbol.
* Returns 0 on success, -1 on error. */
int require_symbol(uint32_t symbol_type,
hashtab_key_t key, hashtab_datum_t datum,
uint32_t * dest_value, uint32_t * datum_value);
/* Enable a permission for a class within the current avrule_decl.
* Return 0 on success, -1 if out of memory. */
int add_perm_to_class(uint32_t perm_value, uint32_t class_value);
/* Functions called from REQUIRE blocks. Add the first symbol on the
* id_queue to this avrule_decl's scope if not already there.
* c.f. require_symbol(). */
int require_class(int pass);
int require_role(int pass);
int require_type(int pass);
int require_attribute(int pass);
int require_attribute_role(int pass);
int require_user(int pass);
int require_bool(int pass);
int require_sens(int pass);
int require_cat(int pass);
/* Check if an identifier is within the scope of the current
* declaration or any of its parents. Return 1 if it is, 0 if not.
* If the identifier is not known at all then return 1 (truth). */
int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id);
/* Check if a particular permission is within the scope of the current
* declaration or any of its parents. Return 1 if it is, 0 if not.
* If the identifier is not known at all then return 1 (truth). */
int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id);
/* Search the current avrules block for a conditional with the same
* expression as 'cond'. If the conditional does not exist then
* create one. Either way, return the conditional. */
cond_list_t *get_current_cond_list(cond_list_t * cond);
/* Append rule to the current avrule_block. */
void append_cond_list(cond_list_t * cond);
void append_avrule(avrule_t * avrule);
void append_role_trans(role_trans_rule_t * role_tr_rules);
void append_role_allow(role_allow_rule_t * role_allow_rules);
void append_range_trans(range_trans_rule_t * range_tr_rules);
void append_filename_trans(filename_trans_rule_t * filename_trans_rules);
/* Create a new optional block and add it to the global policy.
* During the second pass resolve the block's requirements. Return 0
* on success, -1 on error.
*/
int begin_optional(int pass);
int end_optional(int pass);
/* ELSE blocks are similar to normal blocks with the following two
* limitations:
* - no declarations are allowed within else branches
* - no REQUIRES are allowed; the else branch inherits the parent's
* requirements
*/
int begin_optional_else(int pass);
/* Called whenever existing an avrule block. Check that the block had
* a non-empty REQUIRE section. If so pop the block off of the scop
* stack and return 0. If not then send an error to yyerror and
* return -1. */
int end_avrule_block(int pass);
#endif