diff options
author | Miroslav Grepl <mgrepl@redhat.com> | 2014-04-11 09:37:53 +0200 |
---|---|---|
committer | Miroslav Grepl <mgrepl@redhat.com> | 2014-04-11 09:37:53 +0200 |
commit | 47be9ff57e72906660bb62a515222f482131e1fb (patch) | |
tree | 2cb0ef0ba48d73b1df7cc0915754a17e19464bb6 /libqpol/include/qpol | |
download | setools-master.tar.gz setools-master.tar.xz setools-master.zip |
Create setools-3.3.7 git repomaster
Diffstat (limited to 'libqpol/include/qpol')
28 files changed, 3929 insertions, 0 deletions
diff --git a/libqpol/include/qpol/Makefile.am b/libqpol/include/qpol/Makefile.am new file mode 100644 index 0000000..b55acb7 --- /dev/null +++ b/libqpol/include/qpol/Makefile.am @@ -0,0 +1,30 @@ +qpoldir = $(includedir)/qpol + +qpol_HEADERS = \ + avrule_query.h \ + bool_query.h \ + class_perm_query.h \ + cond_query.h \ + constraint_query.h \ + context_query.h \ + fs_use_query.h \ + genfscon_query.h \ + isid_query.h \ + iterator.h \ + mls_query.h \ + mlsrule_query.h \ + module.h \ + netifcon_query.h \ + nodecon_query.h \ + permissive_query.h \ + polcap_query.h \ + policy.h \ + policy_extend.h \ + portcon_query.h \ + rbacrule_query.h \ + role_query.h \ + syn_rule_query.h \ + terule_query.h \ + type_query.h \ + user_query.h \ + util.h diff --git a/libqpol/include/qpol/avrule_query.h b/libqpol/include/qpol/avrule_query.h new file mode 100644 index 0000000..d9050d2 --- /dev/null +++ b/libqpol/include/qpol/avrule_query.h @@ -0,0 +1,167 @@ + /** + * @file + * Defines the public interface for searching and iterating over avrules. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_AVRULE_QUERY_H +#define QPOL_AVRULE_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <qpol/policy.h> +#include <qpol/class_perm_query.h> +#include <qpol/cond_query.h> +#include <qpol/type_query.h> + + typedef struct qpol_avrule qpol_avrule_t; + +/* rule type defines (values copied from "sepol/policydb/policydb.h") */ +#define QPOL_RULE_ALLOW 1 +#define QPOL_RULE_NEVERALLOW 128 +#define QPOL_RULE_AUDITALLOW 2 +/* dontaudit is actually stored as auditdeny so that value is used here */ +#define QPOL_RULE_DONTAUDIT 4 + +/** + * Get an iterator over all av rules in a policy of a rule type in + * rule_type_mask. It is an error to call this function if rules are + * not loaded. Likewise, it is an error if neverallows are requested + * but they were not loaded. + * @param policy Policy from which to get the av rules. + * @param rule_type_mask Bitwise or'ed set of QPOL_RULE_* values. + * It is an error to specify any of QPOL_RULE_TYPE_* in the mask. + * @param iter Iterator over items of type qpol_avrule_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long as + * the policy is unmodifed. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_avrule_iter(const qpol_policy_t * policy, uint32_t rule_type_mask, qpol_iterator_t ** iter); + +/** + * Get the source type from an av rule. + * @param policy Policy from which the rule comes. + * @param rule The rule from which to get the source type. + * @param source Pointer in which to store the source type. + * The caller should not free this pointer. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *source will be NULL. + */ + extern int qpol_avrule_get_source_type(const qpol_policy_t * policy, const qpol_avrule_t * rule, + const qpol_type_t ** source); + +/** + * Get the target type from an av rule. + * @param policy Policy from which the rule comes. + * @param rule The rule from which to get the target type. + * @param target Pointer in which to store the target type. + * The caller should not free this pointer. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *target will be NULL. + */ + extern int qpol_avrule_get_target_type(const qpol_policy_t * policy, const qpol_avrule_t * rule, + const qpol_type_t ** target); + +/** + * Get the object class from an av rule. + * @param policy Policy from which the rule comes. + * @param rule The rule from which to get the object class. + * @param obj_class Pointer in which to store the object class. + * The caller should not free this pointer. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *obj_class will be NULL. + */ + extern int qpol_avrule_get_object_class(const qpol_policy_t * policy, const qpol_avrule_t * rule, + const qpol_class_t ** obj_class); + +/** + * Get an iterator over the permissions in an av rule. + * @param policy Policy from which the rule comes. + * @param rule The rule from which to get the permissions. + * @param perms Iterator over items of type char* returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. The caller <b>should call</b> + * <b>free() on the strings returned by qpol_iterator_get_item().</b> + * It is important to note that this iterator is only valid as long as + * the policy is unmodifed. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *perms will be NULL. + */ + extern int qpol_avrule_get_perm_iter(const qpol_policy_t * policy, const qpol_avrule_t * rule, qpol_iterator_t ** perms); + +/** + * Get the rule type value for an av rule. + * @param policy Policy from which the rule comes. + * @param rule The rule from which to get the rule type. + * @param rule_type Integer in which to store the rule type value. + * The value will be one of the QPOL_RULE_* values above. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *rule_type will be 0. + */ + extern int qpol_avrule_get_rule_type(const qpol_policy_t * policy, const qpol_avrule_t * rule, uint32_t * rule_type); + +/** + * Get the conditional from which an av rule comes. If the rule + * is not a conditional rule *cond is set to NULL. + * @param policy Policy from which the rule comes. + * @param rule The rule from which to get the conditional. + * @param cond The conditional returned. (NULL if rule is not conditional) + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *cond will be NULL. If the rule is not conditional + * *cond is set to NULL and the function is considered successful. + */ + extern int qpol_avrule_get_cond(const qpol_policy_t * policy, const qpol_avrule_t * rule, const qpol_cond_t ** cond); + +/** + * Determine if a rule is enabled. Unconditional rules are always enabled. + * @param policy Policy from which the rule comes. + * @param rule The rule to check. + * @param is_enabled Integer in which to store the result: set to 1 if enabled + * and 0 otherwise. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *is_enabled will be 0. + */ + extern int qpol_avrule_get_is_enabled(const qpol_policy_t * policy, const qpol_avrule_t * rule, uint32_t * is_enabled); + +/** + * Get the list (true or false) in which a conditional rule is. It is + * an error to call this function for an unconditional rule. + * @param policy Policy from which the rule comes. + * @param rule The rule to check. + * @param which_list Integer in which to store the result: set to 1 if + * rule is in the true list or 0 if in the false list. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *which_list will be 0. + */ + extern int qpol_avrule_get_which_list(const qpol_policy_t * policy, const qpol_avrule_t * rule, uint32_t * which_list); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/libqpol/include/qpol/bool_query.h b/libqpol/include/qpol/bool_query.h new file mode 100644 index 0000000..41c2d26 --- /dev/null +++ b/libqpol/include/qpol/bool_query.h @@ -0,0 +1,127 @@ +/** + * @file + * Defines the public interface for searching and iterating over booleans. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_BOOL_QUERY_H +#define QPOL_BOOL_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stddef.h> +#include <stdint.h> +#include <qpol/policy.h> +#include <qpol/iterator.h> + + typedef struct qpol_bool qpol_bool_t; + +/** + * Get the datum for a conditional boolean by name. + * @param policy The policy database from which to retrieve the boolean. + * @param name The name of the boolean; searching is case sensitive. + * @param datum Pointer to set to the boolean's datum entry in the policy. + * This memory should not be freed by the user. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *datum will be NULL. + */ + extern int qpol_policy_get_bool_by_name(const qpol_policy_t * policy, const char *name, qpol_bool_t ** datum); + +/** + * Get an iterator for conditional booleans in the policy. + * @param policy The policy database from which to create the iterator. + * @param iter Iterator of type qpol_bool_t* returned; + * the user is responsible for calling qpol_iterator_destroy to + * free memory used. It is also important to note that an iterator + * is only valid as long as the policy is unchanged. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_bool_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the integer value associated with a boolean. Values range from 1 to + * the number of conditional booleans declared in the policy. + * @param policy The policy with which the boolean is associated. + * @param datum Boolean datum from which to get the value. Must be non-NULL. + * @param value Pointer to integer be set to value. Must be non-NULL. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *value will be 0. + */ + extern int qpol_bool_get_value(const qpol_policy_t * policy, const qpol_bool_t * datum, uint32_t * value); + +/** + * Get the state of a boolean. + * @param policy The policy with which the boolean is associated. + * @param datum Boolean datum from which to get the state. Must be non-NULL. + * @param state Pointer to the integer to be set to the boolean's state. + * Must be non-NULL. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *state will set to 0 (false). + */ + extern int qpol_bool_get_state(const qpol_policy_t * policy, const qpol_bool_t * datum, int *state); + +/** + * Set the state of a boolean and update the state of all conditionals + * using the boolean. + * @param policy The policy with which the boolean is associated. + * The state of the policy is changed by this function. + * @param datum Boolean datum for which to set the state. Must be non-NULL. + * @param state Value to which to set the state of the boolean. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set. + */ + extern int qpol_bool_set_state(qpol_policy_t * policy, qpol_bool_t * datum, int state); + +/** + * Set the state of a boolean but do not update the state of all conditionals + * using the boolean. The caller is responsible for calling + * qpol_policy_reevaluate_conds() at a later time to maintain a consistent + * state of conditional expressions. + * @param policy The policy with which the boolean is associated. + * The state of the policy is changed by this function. + * @param datum Boolean datum for which to set the state. Must be non-NULL. + * @param state Value to which to set the state of the boolean. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set. + */ + extern int qpol_bool_set_state_no_eval(qpol_policy_t * policy, qpol_bool_t * datum, int state); + +/** + * Get the name which identifies a boolean from its datum. + * @param policy The policy with which the boolean is associated. + * @param datum Boolean datum for which to get the name. Must be non-NULL. + * @param name Pointer to the string in which to store the name. + * Must be non-NULL. The caller should not free the string. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *name will be NULL. + */ + extern int qpol_bool_get_name(const qpol_policy_t * policy, const qpol_bool_t * datum, const char **name); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_BOOL_QUERY_H */ diff --git a/libqpol/include/qpol/class_perm_query.h b/libqpol/include/qpol/class_perm_query.h new file mode 100644 index 0000000..a74357a --- /dev/null +++ b/libqpol/include/qpol/class_perm_query.h @@ -0,0 +1,209 @@ +/** + * @file + * Defines the public interface for searching and iterating over + * classes, commons, and permissions. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_CLASS_PERM_QUERY_H +#define QPOL_CLASS_PERM_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stddef.h> +#include <stdint.h> +#include <qpol/iterator.h> +#include <qpol/policy.h> + + typedef struct qpol_class qpol_class_t; + typedef struct qpol_common qpol_common_t; + +/* perms */ +/** + * Get an iterator over the set of classes which contain a permission + * with the name perm. This function does not search for the permission + * in the class's inherited common. + * @param policy The policy from which to query the classes. + * @param perm The name of the permission to be matched. Must be non-NULL. + * @param classes The iterator of type qpol_class_t returned; + * the user is responsible for calling qpol_iterator_destroy + * to free memory used. It is also important to note + * that an iterator is only valid as long as the policy is unchanged. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *classes will be NULL; + */ + extern int qpol_perm_get_class_iter(const qpol_policy_t * policy, const char *perm, qpol_iterator_t ** classes); + +/** + * Get an iterator over the set of commons which contain a permission + * with the name perm. + * @param policy The policy from which to query the commons. + * @param perm The name of the permission to be matched. Must be non-NULL. + * @param commons The iterator of type qpol_common_t returned; + * the user is responsible for calling qpol_iterator_destroy + * to free memory used. It is also important to note + * that an iterator is only valid as long as the policy is unchanged. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *commons will be NULL; + */ + extern int qpol_perm_get_common_iter(const qpol_policy_t * policy, const char *perm, qpol_iterator_t ** commons); + +/* classes */ +/** + * Get an object class by name. + * @param policy The policy from which to get the class. + * @param name The name of the class; searching is case sensitive. + * @param obj_class Pointer in which to store the class. + * Caller should not free this pointer. + * @return Returns 0 for success and < 0 for failure; if the call fails, + * errno will be set and *obj_class will be NULL; + */ + extern int qpol_policy_get_class_by_name(const qpol_policy_t * policy, const char *name, const qpol_class_t ** obj_class); + +/** + * Get an iterator for object classes in the policy. + * @param policy The policy database from which to create the iterator. + * @param iter Iterator of type qpol_class_t* returned; the user + * is responsible for calling qpol_iterator_destroy to free memory used. + * It is also important to note that an iterator is only valid as long + * as the policy is unchanged. + * @return Returns 0 for success and < 0 for failure; if the call fails, + * errno will be set and *iter will be NULL. +*/ + extern int qpol_policy_get_class_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the integer value associated with a class. Values range from 1 to + * the number of object classes declared in the policy. + * @param policy The policy with which the class is associated. + * @param obj_class Class from which to get the value. Must be non-NULL. + * @param value Pointer to the integer to be set to value. Must be non-NULL. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *value will be 0. + */ + extern int qpol_class_get_value(const qpol_policy_t * policy, const qpol_class_t * obj_class, uint32_t * value); + +/** + * Get the common used by a class. + * @param policy The policy with which the class is associated. + * @param obj_class Class from which to get the value. Must be non-NULL. + * @param common Pointer to the common associated with this + * class; the caller should not free this pointer. Not all classes have an + * associated common so it is possible for *common to be NULL on success. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *common will be NULL. + */ + extern int qpol_class_get_common(const qpol_policy_t * policy, const qpol_class_t * obj_class, + const qpol_common_t ** common); + +/** + * Get an iterator for the set of (unique) permissions for a class. + * @param policy The policy with which the class is associated. + * @param obj_class The class from which to get the permissions. + * @param perms Iterator of type char* returned for the list of + * permissions for this class. The list only contains permissions unique + * to the class not those included from a common. The iterator is only + * valid as long as the policy is unchanged; the caller is responsible + * for calling qpol_iterator_destroy to free memory used. + * @return Returns 0 for success and < 0 for failure; if the call fails, + * errno will be set and *perms will be NULL. + */ + extern int qpol_class_get_perm_iter(const qpol_policy_t * policy, const qpol_class_t * obj_class, qpol_iterator_t ** perms); + +/** + * Get the name which identifies a class. + * @param policy The policy with which the class is associated. + * @param datum Class for which to get the name. Must be non-NULL. + * @param name Pointer to the string in which to store the name. + * Must be non-NULL. Caller should not free the string. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *name will be NULL. + */ + extern int qpol_class_get_name(const qpol_policy_t * policy, const qpol_class_t * obj_class, const char **name); + +/* commons */ +/** + * Get a common by name. + * @param policy from which to get the common. + * @param name The name of the common; searching is case sensitive. + * @param common Pointer in which to store the common. + * Caller should not free this pointer. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *common will be NULL. + */ + extern int qpol_policy_get_common_by_name(const qpol_policy_t * policy, const char *name, const qpol_common_t ** common); + +/** + * Get an iterator for commons in the policy + * @param policy The policy from which to create the iterator. + * @param iter Iterator of type qpol_common_t* returned; + * the user is responsible for calling qpol_iterator_destroy to + * free memory used. It is also important to note that an iterator is + * only valid as long as the policy is unchanged. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_common_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the integer value associated with a common. Values range from 1 to + * the number of commons declared in the policy. + * @param policy The policy associated with the common. + * @param common The common from which to get the value. + * @param value Pointer to the integer to be set to value. Must be non-NULL. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *value will be 0. + */ + extern int qpol_common_get_value(const qpol_policy_t * policy, const qpol_common_t * common, uint32_t * value); + +/** + * Get an iterator for the permissions included in a common. + * @param policy The policy associated with the common. + * @param common The common from which to get permissions. + * @param perms Iterator of type char* returned for the list of + * permissions for this common. The iterator is only valid as long + * as the policy is unchanged; the caller is responsible for calling + * qpol_iterator_destroy to free memory used. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *perms will be NULL. + */ + extern int qpol_common_get_perm_iter(const qpol_policy_t * policy, const qpol_common_t * common, qpol_iterator_t ** perms); + +/** + * Get the name which identifies a common. + * @param policy associated with the common. + * @param common The common from which to get the name. + * @param name Pointer in which to store the name. Must be non-NULL; + * the caller should not free the string. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *name will be NULL. + */ + extern int qpol_common_get_name(const qpol_policy_t * policy, const qpol_common_t * common, const char **name); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_CLASS_PERM_QUERY_H */ diff --git a/libqpol/include/qpol/cond_query.h b/libqpol/include/qpol/cond_query.h new file mode 100644 index 0000000..e2722ef --- /dev/null +++ b/libqpol/include/qpol/cond_query.h @@ -0,0 +1,198 @@ +/** + * @file + * Defines the public interface for searching and iterating over + * conditionals + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_COND_QUERY_H +#define QPOL_COND_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <qpol/policy.h> +#include <qpol/bool_query.h> +#include <qpol/iterator.h> + + typedef struct qpol_cond qpol_cond_t; + typedef struct qpol_cond_expr_node qpol_cond_expr_node_t; + +/** + * Get an iterator over all conditionals in a policy. + * It is an error to call this function if rules are not loaded. + * @param policy Policy from which to get the conditionals. + * @param iter Iterator over items of type qpol_cond_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used in this iterator. + * It is important to node that this iterator is only valid as long as + * the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_cond_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get an iterator over the nodes in a conditional expression. + * Each node represents a single token of the expression in RPN. + * @param policy The policy associated with the conditional. + * @param cond The conditional from which to get the expression. + * @param iter Iterator over items of type qpol_cond_expr_node_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used in this iterator. + * It is important to node that this iterator is only valid as long as + * the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_cond_get_expr_node_iter(const qpol_policy_t * policy, const qpol_cond_t * cond, qpol_iterator_t ** iter); + +/* flags for conditional rules */ +#define QPOL_COND_RULE_LIST 0x00000001 +#define QPOL_COND_RULE_ENABLED 0x00000002 + +/** + * Get an iterator over all av rules in a conditional's true list + * of a rule type in rule_type_mask. + * @param policy The policy associated with the conditional. + * @param cond The conditional from which to get the rules. + * @param rule_type_mask Bitwise or'ed set of QPOL_RULE_* values + * (see avrule_query.h) to include. + * @param iter Iterator over items of type qpol_avrule_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long as + * the policy is unmodifed. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_cond_get_av_true_iter(const qpol_policy_t * policy, const qpol_cond_t * cond, uint32_t rule_type_mask, + qpol_iterator_t ** iter); + +/** + * Get an iterator over all type rules in a conditional's true list + * of a rule type in rule_type_mask. + * @param policy The policy associated with the conditional. + * @param cond The conditional from which to get the rules. + * @param rule_type_mask Bitwise or'ed set of QPOL_RULE_TYPE_* values + * (see terule_query.h) to include. + * @param iter Iterator over items of type qpol_terule_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long as + * the policy is unmodifed. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_cond_get_te_true_iter(const qpol_policy_t * policy, const qpol_cond_t * cond, uint32_t rule_type_mask, + qpol_iterator_t ** iter); + +/** + * Get an iterator over all av rules in a conditional's false list + * of a rule type in rule_type_mask. + * @param policy The policy associated with the conditional. + * @param cond The conditional from which to get the rules. + * @param rule_type_mask Bitwise or'ed set of QPOL_RULE_* values + * (see avrule_query.h) to include. + * @param iter Iterator over items of type qpol_avrule_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long as + * the policy is unmodifed. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_cond_get_av_false_iter(const qpol_policy_t * policy, const qpol_cond_t * cond, uint32_t rule_type_mask, + qpol_iterator_t ** iter); + +/** + * Get an iterator over all type rules in a conditional's false list + * of a rule type in rule_type_mask. + * @param policy The policy associated with the conditional. + * @param cond The conditional from which to get the rules. + * @param rule_type_mask Bitwise or'ed set of QPOL_RULE_TYPE_* values + * (see terule_query.h) to include. + * @param iter Iterator over items of type qpol_avrule_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long as + * the policy is unmodifed. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_cond_get_te_false_iter(const qpol_policy_t * policy, const qpol_cond_t * cond, uint32_t rule_type_mask, + qpol_iterator_t ** iter); + +/** + * Evaluate the expression of a conditional using current boolean values + * in the policy. + * @param policy The policy associated with the conditional. + * @param cond The conditional to evaluate. + * @param is_true Integer in which to store the result of evaluating the + * the expression, will be 1 if true and 0 otherwise. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *is_true will be 0. + */ + extern int qpol_cond_eval(const qpol_policy_t * policy, const qpol_cond_t * cond, uint32_t * is_true); + +/* values identical to conditional.h in sepol */ +#define QPOL_COND_EXPR_BOOL 1 /* plain bool */ +#define QPOL_COND_EXPR_NOT 2 /* !bool */ +#define QPOL_COND_EXPR_OR 3 /* bool || bool */ +#define QPOL_COND_EXPR_AND 4 /* bool && bool */ +#define QPOL_COND_EXPR_XOR 5 /* bool ^ bool */ +#define QPOL_COND_EXPR_EQ 6 /* bool == bool */ +#define QPOL_COND_EXPR_NEQ 7 /* bool != bool */ + +/** + * Get the type of an expression node. + * @param policy The policy associated with the conditional expression. + * @param node The node from which to get the expression type. + * @param expr_type Integer in which to store the expression type; + * the value will be one of QPOL_COND_EXPR_* above. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *expr_type will be 0. + */ + extern int qpol_cond_expr_node_get_expr_type(const qpol_policy_t * policy, const qpol_cond_expr_node_t * node, + uint32_t * expr_type); + +/** + * Get the boolean used in an expression node. This is only valid + * when the node's expression type is QPOL_COND_EXPR_BOOL. + * @param policy The policy associated with the conditional experssion. + * @param node The node from which to get the boolean. It is an error + * to call this function if the node is not of type QPOL_COND_EXPR_BOOL. + * @param cond_bool Pointer in which to store the boolean. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *cond_bool will be NULL. + */ + extern int qpol_cond_expr_node_get_bool(const qpol_policy_t * policy, const qpol_cond_expr_node_t * node, + qpol_bool_t ** cond_bool); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_COND_QUERY_H */ diff --git a/libqpol/include/qpol/constraint_query.h b/libqpol/include/qpol/constraint_query.h new file mode 100644 index 0000000..f5cd7bf --- /dev/null +++ b/libqpol/include/qpol/constraint_query.h @@ -0,0 +1,262 @@ +/** + * @file + * Defines the public interface for searching and iterating over + * constraints + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_CONSTRAINT_QUERY_H +#define QPOL_CONSTRAINT_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <qpol/policy.h> +#include <qpol/iterator.h> +#include <qpol/class_perm_query.h> + + typedef struct qpol_constraint qpol_constraint_t; + typedef struct qpol_validatetrans qpol_validatetrans_t; + typedef struct qpol_constraint_expr_node qpol_constraint_expr_node_t; + +/** + * Get an iterator for the constraints in a policy. + * @param policy The policy from which to create the iterator. + * @param iter Iterator over items of type qpol_constraint_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. <b>The caller must also call free() + * on items returned by qpol_iterator_get_item() when using this iterator.</b> + * It is important to note that this iterator is only valid as long + * as the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_constraint_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the object class from a constraint. + * @param policy The policy associated with the constraint. + * @param constr The constraint from which to get the class. + * @param obj_class Pointer in which to store the object class. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *obj_class will be NULL. + */ + extern int qpol_constraint_get_class(const qpol_policy_t * policy, const qpol_constraint_t * constr, + const qpol_class_t ** obj_class); + +/** + * Get an iterator over the permissions in a constraint. + * @param policy The policy from which the constraint comes. + * @param constr The constraint from which to get the permissions. + * @param iter Iterator over items of type char*. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. The caller <b>should call</b> + * <b>free() on the strings returned by qpol_iterator_get_item().</b> + * It is important to note that this iterator is only valid as long + * as the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_constraint_get_perm_iter(const qpol_policy_t * policy, const qpol_constraint_t * constr, + qpol_iterator_t ** iter); + +/** + * Get an iterator over the nodes in a constraint expression. + * @param policy The policy from which the constraint comes. + * @param constr The constraint from which to get the expression. + * @param iter Iterator over items of type qpol_constraint_expr_node_t. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. The caller should not + * free the items returned by qpol_iterator_get_item(). + * It is important to note that this iterator is only valid as long + * as the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_constraint_get_expr_iter(const qpol_policy_t * policy, const qpol_constraint_t * constr, + qpol_iterator_t ** iter); + +/** + * Get an iterator for the validatetrans statements in a policy. + * @param policy The policy from which to create the iterator. + * @param iter Iterator over items of type qpol_validatetrans_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. <b>The caller must also call free() + * on items returned by qpol_iterator_get_item() when using this iterator.</b> + * It is important to note that this iterator is only valid as long + * as the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_validatetrans_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the object class from a validatetrans statement. + * @param policy The policy associated with the validatetrans statement. + * @param vtrans The validatetrans statement from which to get the class. + * @param obj_class Pointer in which to store the object class. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *obj_class will be NULL. + */ + extern int qpol_validatetrans_get_class(const qpol_policy_t * policy, const qpol_validatetrans_t * vtrans, + const qpol_class_t ** obj_class); + +/** + * Get an iterator over the nodes in a validatetrans expression. + * @param policy The policy from which the validatetrans statement comes. + * @param vtrans The validatetrans statement from which to get the expression. + * @param iter Iterator over items of type qpol_constraint_expr_node_t. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. The caller should not + * free the items returned by qpol_iterator_get_item(). + * It is important to note that this iterator is only valid as long + * as the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_validatetrans_get_expr_iter(const qpol_policy_t * policy, const qpol_validatetrans_t * vtrans, + qpol_iterator_t ** iter); + +/* expr_type values */ +#define QPOL_CEXPR_TYPE_NOT 1 +#define QPOL_CEXPR_TYPE_AND 2 +#define QPOL_CEXPR_TYPE_OR 3 +#define QPOL_CEXPR_TYPE_ATTR 4 +#define QPOL_CEXPR_TYPE_NAMES 5 + +/** + * Get the code for the expression type of by an expression node. + * @patam policy The policy from which the expression comes. + * @param expr The expression node from which to get the expression type. + * @param expr_type Integer in which to store the expression type; the value + * will be one of QPOL_CEXPR_TYPE_* above. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *op will be 0. + */ + extern int qpol_constraint_expr_node_get_expr_type(const qpol_policy_t * policy, const qpol_constraint_expr_node_t * expr, + uint32_t * expr_type); + +/* attr values */ +#define QPOL_CEXPR_SYM_USER 1 +#define QPOL_CEXPR_SYM_ROLE 2 +#define QPOL_CEXPR_SYM_TYPE 4 +#define QPOL_CEXPR_SYM_TARGET 8 +#define QPOL_CEXPR_SYM_XTARGET 16 +#define QPOL_CEXPR_SYM_L1L2 32 +#define QPOL_CEXPR_SYM_L1H2 64 +#define QPOL_CEXPR_SYM_H1L2 128 +#define QPOL_CEXPR_SYM_H1H2 256 +#define QPOL_CEXPR_SYM_L1H1 512 +#define QPOL_CEXPR_SYM_L2H2 1024 + +/** + * Get the code for the symbol type used by an expression node. + * @param policy The policy from which the expression comes. + * @param expr The expression node from which to get the symbol type. + * Must be of expression type QPOL_CEXPR_TYPE_ATTR or QPOL_CEXPR_TYPE_NAMES. + * @param sym_type Integer in which to store the symbol type; the value + * will be a bitwise or'ed set of QPOL_CEXPR_SYM_* above. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *sym_type will be 0. + */ + extern int qpol_constraint_expr_node_get_sym_type(const qpol_policy_t * policy, const qpol_constraint_expr_node_t * expr, + uint32_t * sym_type); + +/* op values */ +#define QPOL_CEXPR_OP_EQ 1 +#define QPOL_CEXPR_OP_NEQ 2 +#define QPOL_CEXPR_OP_DOM 3 +#define QPOL_CEXPR_OP_DOMBY 4 +#define QPOL_CEXPR_OP_INCOMP 5 + +/** + * Get the operator used by an expression node. + * @param policy The policy from which the expression comes. + * @param expr The expression node from which to get the operator. + * Must be of expression type QPOL_CEXPR_TYPE_ATTR or QPOL_CEXPR_TYPE_NAMES. + * @param op Integer in which to store the operator; the value + * will be one of QPOL_CEXPR_OP_* above. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *op will be 0. + */ + extern int qpol_constraint_expr_node_get_op(const qpol_policy_t * policy, const qpol_constraint_expr_node_t * expr, + uint32_t * op); + +/** + * Get an iterator of the names in an expression node. + * @param policy The policy from which the expression comes. + * @param expr The expression node from which to create the iterator. + * Must be of expression type QPOL_CEXPR_TYPE_NAMES. + * @param iter Iterator over items of type char* returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. <b>The caller should call + * free() on the strings returned by qpol_iterator_get_item().</b> + * It is important to note that this iterator is only valid as long + * as the policy is unmodified. + * In the case where the symbol names are types, the name of a subtracted + * type will be prepended with a '-' character. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_constraint_expr_node_get_names_iter(const qpol_policy_t * policy, const qpol_constraint_expr_node_t * expr, + qpol_iterator_t ** iter); + +/** + * Get an iterator for the constraints on a class. + * @param policy The policy associated with the class. + * @param obj_class The class from which to create the iterator. + * @param constr Iterator over items of type qpol_constraint_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. <b>The caller must also call free() + * on items returned by qpol_iterator_get_item() when using this iterator.</b> + * It is important to note that this iterator is only valid as long + * as the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *constr will be NULL. + */ + extern int qpol_class_get_constraint_iter(const qpol_policy_t * policy, const qpol_class_t * obj_class, + qpol_iterator_t ** constr); + +/** + * Get an iterator for the validatetrans statements for a class. + * @param policy The policy associated with the class. + * @param obj_class The class from which to create the iterator. + * @param vtrans Iterator over items of type qpol_validatetrans_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. <b>The caller must also call free() + * on items returned by qpol_iterator_get_item() when using this iterator.</b> + * It is important to note that this iterator is only valid as long + * as the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *vtrans will be NULL. + */ + extern int qpol_class_get_validatetrans_iter(const qpol_policy_t * policy, const qpol_class_t * obj_class, + qpol_iterator_t ** vtrans); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_CONSTRAINT_QUERY_H */ diff --git a/libqpol/include/qpol/context_query.h b/libqpol/include/qpol/context_query.h new file mode 100644 index 0000000..d152d79 --- /dev/null +++ b/libqpol/include/qpol/context_query.h @@ -0,0 +1,93 @@ +/** + * @file + * Defines the public interface accessing contexts. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_CONTEXT_QUERY_H +#define QPOL_CONTEXT_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stddef.h> +#include <stdint.h> +#include <qpol/policy.h> +#include <qpol/user_query.h> +#include <qpol/role_query.h> +#include <qpol/type_query.h> +#include <qpol/mls_query.h> + + typedef struct qpol_context qpol_context_t; + +/** + * Get the datum for the user field of a context. + * @param policy The policy associated with the context. + * @param context The context from which to get the user. + * @param user Pointer in which to store the user datum. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *user will be NULL. + */ + extern int qpol_context_get_user(const qpol_policy_t * policy, const qpol_context_t * context, const qpol_user_t ** user); + +/** + * Get the datum for the role field of a context. + * @param policy The policy associated with the context. + * @param context The context from which to get the role. + * @param role Pointer in which to store the role datum. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *role will be NULL. + */ + extern int qpol_context_get_role(const qpol_policy_t * policy, const qpol_context_t * context, const qpol_role_t ** role); + +/** + * Get the datum for the type field of a context. + * @param policy The policy associated with the context. + * @param context The context from which to get the type. + * @param type Pointer in which to store the type datum. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *type will be NULL. + */ + extern int qpol_context_get_type(const qpol_policy_t * policy, const qpol_context_t * context, const qpol_type_t ** type); + +/** + * Get the datum for the MLS range field of a context. + * @param policy The policy associated with the context. + * @param context The context from which to get the MLS range. + * @param range Pointer in which to store the MLS range. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *range will be NULL. + */ + extern int qpol_context_get_range(const qpol_policy_t * policy, const qpol_context_t * context, + const qpol_mls_range_t ** range); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_CONTEXT_QUERY_H */ diff --git a/libqpol/include/qpol/fs_use_query.h b/libqpol/include/qpol/fs_use_query.h new file mode 100644 index 0000000..c45ae44 --- /dev/null +++ b/libqpol/include/qpol/fs_use_query.h @@ -0,0 +1,115 @@ +/** + * @file + * Defines the public interface for searching and iterating over fs_use statements. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_FS_USE_QUERY_H +#define QPOL_FS_USE_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stddef.h> +#include <stdint.h> +#include <qpol/iterator.h> +#include <qpol/policy.h> +#include <qpol/context_query.h> + + typedef struct qpol_fs_use qpol_fs_use_t; + +/** + * Get a fs_use statement by file system name. + * @param policy The policy from which to get the fs_use statement. + * @param name The name of the file system. + * @param ocon Pointer in which to store the fs_use statement. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *ocon will be NULL. + */ + extern int qpol_policy_get_fs_use_by_name(const qpol_policy_t * policy, const char *name, const qpol_fs_use_t ** ocon); + +/** + * Get an iterator for the fs_use statements in a policy. + * @param policy The policy from which to create the iterator. + * @param iter Iterator over items of type qpol_fs_use_t returned. + * The caller is responsible for calling qpol_iterator_destroy + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long + * as the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_fs_use_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the file system name from a fs_use statement. + * @param policy The policy associated with the fs_use statement. + * @param ocon The fs_use statement from which to get the name. + * @param name Pointer to the string in which to store the name. + * The caller should not free this string. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *name will be NULL. + */ + extern int qpol_fs_use_get_name(const qpol_policy_t * policy, const qpol_fs_use_t * ocon, const char **name); + +/* The defines QPOL_FS_USE_XATTR through QPOL_FS_USE_NONE are + * copied from sepol/policydb/services.h. + * QPOL_FS_USE_PSID is an extension to support v12 policies. */ +#define QPOL_FS_USE_XATTR 1U +#define QPOL_FS_USE_TRANS 2U +#define QPOL_FS_USE_TASK 3U +#define QPOL_FS_USE_GENFS 4U +#define QPOL_FS_USE_NONE 5U +#define QPOL_FS_USE_PSID 6U + +/** + * Get the labeling behavior from a fs_use statement. + * @param policy The policy associated with the fs_use statement. + * @param ocon The fs_use statement from which to get the behavior. + * @param behavior Pointer to be set to the value of the labeling behavior. + * The value will be one of the QPOL_FS_USE_* values defined above. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *behavior will be 0. + */ + extern int qpol_fs_use_get_behavior(const qpol_policy_t * policy, const qpol_fs_use_t * ocon, uint32_t * behavior); + +/** + * Get the context from a fs_use statement. + * @param policy The policy associated with the fs_use statement. + * @param ocon The fs_use statement from which to get the context. + * @param context Pointer in which to store the context. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *context will be NULL. It is considered an + * error to call this function if behavior is QPOL_FS_USE_PSID. + */ + extern int qpol_fs_use_get_context(const qpol_policy_t * policy, const qpol_fs_use_t * ocon, + const qpol_context_t ** context); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_FS_USE_QUERY_H */ diff --git a/libqpol/include/qpol/genfscon_query.h b/libqpol/include/qpol/genfscon_query.h new file mode 100644 index 0000000..f89795a --- /dev/null +++ b/libqpol/include/qpol/genfscon_query.h @@ -0,0 +1,128 @@ +/** + * @file + * Defines the public interface for searching and iterating over genfscon statements. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 20062007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_OCON_QUERY_H +#define QPOL_OCON_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stddef.h> +#include <stdint.h> +#include <qpol/iterator.h> +#include <qpol/policy.h> + + typedef struct qpol_genfscon qpol_genfscon_t; + +/** + * Get a genfscon statement by file system name and path. + * @param policy The policy from which to get the genfscon statement. + * @param name The name of the file system. + * @param path The path relative to the filesystem mount point. + * @param genfscon Pointer in which to store the genfscon statement. + * The caller should call free() on this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *genfscon will be NULL. + */ + extern int qpol_policy_get_genfscon_by_name(const qpol_policy_t * policy, const char *name, const char *path, + qpol_genfscon_t ** genfscon); + +/** + * Get an iterator for the genfscon statements in a policy. + * @param policy The policy from which to create the iterator. + * @param iter Iterator over items of type qpol_genfscon_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. The caller must also call free() + * on items returned by qpol_iterator_get_item() when using this iterator. + * It is important to note that this iterator is only valid as long + * as the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_genfscon_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the file system name from a gefscon statement. + * @param policy The policy associated with the genfscon statement. + * @param genfs The genfscon statement from which to get the name. + * @param name Pointer to th string in which to store the name. + * The caller should not free this string. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *name will be NULL. + */ + extern int qpol_genfscon_get_name(const qpol_policy_t * policy, const qpol_genfscon_t * genfs, const char **name); + +/** + * Get the relative path from a gefscon statement. + * @param policy The policy associated with the genfscon statement. + * @param genfs The genfscon statement from which to get the path. + * @param path Pointer to the string in which to store the path. + * The caller should not free this string. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *path will be NULL. + */ + extern int qpol_genfscon_get_path(const qpol_policy_t * policy, const qpol_genfscon_t * genfs, const char **path); + +/* values from flask do not change */ +#define QPOL_CLASS_ALL 0U +#define QPOL_CLASS_BLK_FILE 11U +#define QPOL_CLASS_CHR_FILE 10U +#define QPOL_CLASS_DIR 7U +#define QPOL_CLASS_FIFO_FILE 13U +#define QPOL_CLASS_FILE 6U +#define QPOL_CLASS_LNK_FILE 9U +#define QPOL_CLASS_SOCK_FILE 12U + +/** + * Get the object class from a genfscon statement. + * @param policy The policy associated with the genfscon statement. + * @param genfs The genfscon statement from which to get the path. + * @param obj_class Pointer in which to store the integer code for the + * object class. See QPOL_CLASS_* defines above for values. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *class will be 0. + */ + extern int qpol_genfscon_get_class(const qpol_policy_t * policy, const qpol_genfscon_t * genfs, uint32_t * obj_class); + +/** + * Get the context from a path component of a genfscon statement. + * @param policy The policy associated with the genfscon statement. + * @param genfscon The genfscon statement from which to get + * the context. + * @param context Pointer in which to store the context. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *context will be NULL. + */ + extern int qpol_genfscon_get_context(const qpol_policy_t * policy, const qpol_genfscon_t * genfscon, + const qpol_context_t ** context); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_OCON_QUERY_H */ diff --git a/libqpol/include/qpol/isid_query.h b/libqpol/include/qpol/isid_query.h new file mode 100644 index 0000000..56ff4d2 --- /dev/null +++ b/libqpol/include/qpol/isid_query.h @@ -0,0 +1,91 @@ +/** + * @file + * Defines the public interface for searching and iterating over initial SIDs. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_ISID_QUERY_H +#define QPOL_ISID_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stddef.h> +#include <stdint.h> +#include <qpol/iterator.h> +#include <qpol/policy.h> + + typedef struct qpol_isid qpol_isid_t; + +/** + * Get an initial SID statement by name. + * @param policy The policy from which to get the initial SID statement. + * @param name The name of the initial SID. + * @param ocon Pointer in which to store the initial SID. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *ocon will be NULL. + */ + extern int qpol_policy_get_isid_by_name(const qpol_policy_t * policy, const char *name, const qpol_isid_t ** ocon); + +/** + * Get an iterator for the initial SID statements in a policy. + * @param policy The policy from which to create the iterator. + * @param iter Iterator over items of type qpol_isid_t returned. + * The caller is responsible for calling qpol_iterator_destroy + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long + * as the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_isid_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the name from an initial SID statement. + * @param policy The policy associated with the initial SID. + * @param ocon The initial SID from which to get the name. + * @param name Pointer to the string in which to store the name. + * The caller should not free this string. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *name will be NULL. + */ + extern int qpol_isid_get_name(const qpol_policy_t * policy, const qpol_isid_t * ocon, const char **name); + +/** + * Get the context from an initial SID statement. + * @param policy The policy associated with the inital SID. + * @param ocon The initial SID from which to get the context. + * @param context Pointer in which to store the context. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *context will be NULL. + */ + extern int qpol_isid_get_context(const qpol_policy_t * policy, const qpol_isid_t * ocon, const qpol_context_t ** context); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_ISID_QUERY_H */ diff --git a/libqpol/include/qpol/iterator.h b/libqpol/include/qpol/iterator.h new file mode 100644 index 0000000..e7bb8be --- /dev/null +++ b/libqpol/include/qpol/iterator.h @@ -0,0 +1,95 @@ +/** + * @file + * Defines the public API for qpol_iterator; this structure + * is used when requesting lists of components from the policy + * database. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_ITERATOR_H +#define QPOL_ITERATOR_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stddef.h> + + struct qpol_iterator; + typedef struct qpol_iterator qpol_iterator_t; + +/** + * Free memory used by the iterator. + * @param iter Pointer to the iterator to be freed; frees all + * memory used by the iterator and the iterator itself. On returning + * *iter will be NULL. + */ + extern void qpol_iterator_destroy(qpol_iterator_t ** iter); + +/** + * Get the item at the current position of the iterator. + * @param iter The iterator from which to get the item. + * @param item Pointer in which to store the current item; the caller is + * responsible for safely casting this pointer. Unless specifically + * noted by the function creating the iterator, the item set + * by this function should not be freed. If the iterator is at + * the end (i.e. all items have been traversed) *item will be NULL. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *item will be NULL. + */ + extern int qpol_iterator_get_item(const qpol_iterator_t * iter, void **item); + +/** + * Advance the iterator to the next item. + * @param iter The iterator to advance; internal state data will change. + * @return Returns 0 on success and < 0 on failure; advancing an + * iterator that is at the end fails (and returns < 0). If the call fails, + * errno will be set. + */ + extern int qpol_iterator_next(qpol_iterator_t * iter); + +/** + * Determine if an iterator is at the end. + * @param iter The iterator to check. + * @return Returns non-zero if the current position of the iterator + * is at the end of the list (i.e. past the last valid item) and + * zero in any other case. If there is an error determining if + * the iterator is at the end then non-zero will be returned. + */ + extern int qpol_iterator_end(const qpol_iterator_t * iter); + +/** + * Get the total number of items in the list traversed by the iterator. + * @param iter The iterator from which to get the number of items. + * @param size Pointer in which to store the number of items. + * Must be non-NULL. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *size will be 0. + */ + extern int qpol_iterator_get_size(const qpol_iterator_t * iter, size_t * size); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_ITERATOR */ diff --git a/libqpol/include/qpol/mls_query.h b/libqpol/include/qpol/mls_query.h new file mode 100644 index 0000000..c5fadc5 --- /dev/null +++ b/libqpol/include/qpol/mls_query.h @@ -0,0 +1,260 @@ +/** + * @file + * Defines the public interface for searching and iterating over + * policy MLS components. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_MLS_QUERY_H +#define QPOL_MLS_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stddef.h> +#include <stdint.h> + + typedef struct qpol_level qpol_level_t; + typedef struct qpol_cat qpol_cat_t; + typedef struct qpol_mls_range qpol_mls_range_t; + typedef struct qpol_mls_level qpol_mls_level_t; + +#include <qpol/iterator.h> +#include <qpol/policy.h> + +/* level */ +/** + * Get datum for a security level by (sensitivity) name. + * @param policy The policy from which to get the level datum. + * @param name The sensitivity name; searching is case sensitive. + * @param datum Pointer in which to store the level datum. Must be non-NULL. + * The caller should not free this pointer. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *datum will be NULL. + */ + extern int qpol_policy_get_level_by_name(const qpol_policy_t * policy, const char *name, const qpol_level_t ** datum); + +/** + * Get an iterator for the levels in a policy. + * @param policy The policy from which to create the iterator. + * @param iter Iterator of type qpol_level_t* returned; + * The caller is responsible for calling qpol_iterator_destroy + * to free memory used; it is important to note that the iterator + * is valid only as long as the policy is unchanged. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_level_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Determine if a level is an alias for another level. + * @param policy The policy associated with the level datum. + * @param datum The level to check. + * @param isalias Pointer in which to store the alias state of + * the level. Must be non-NULL. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *isalias will be 0 (false). + */ + extern int qpol_level_get_isalias(const qpol_policy_t * policy, const qpol_level_t * datum, unsigned char *isalias); + +/** + * Get the integer value associated with the sensitivity of a level. + * Values range from 1 to the number of declared levels in the policy. + * @param policy The policy associated with the level. + * @param datum The level datum from which to get the value. + * @param value Pointer to the integer to set to value. Must be non-NULL. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *value will be 0. + */ + extern int qpol_level_get_value(const qpol_policy_t * policy, const qpol_level_t * datum, uint32_t * value); + +/** + * Get an iterator for the categories associated with a level. + * @param policy The policy associated with the level. + * @param datum The level from which to get the categories. + * @param cats Iterator of type qpol_cat_t* returned; + * the categories are in policy order. The caller is responsible + * for calling qpol_iterator_destroy to free memory used; + * it is important to note that the iterator is valid only as long + * as the policy is unchanged. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *cats will be NULL. + */ + extern int qpol_level_get_cat_iter(const qpol_policy_t * policy, const qpol_level_t * datum, qpol_iterator_t ** cats); + +/** + * Get the name which identifies a level from its datum. + * @param policy The policy associated with the level. + * @param datum The level from which to get the name. + * @param name Pointer in which to store the name. Must be non-NULL; + * the caller should not free this string. If the sensitivity is an + * alias, the primary name will be returned. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *name will be NULL. + */ + extern int qpol_level_get_name(const qpol_policy_t * policy, const qpol_level_t * datum, const char **name); + +/** + * Get an iterator for the list of aliases for a level. + * @param policy The policy associated with the level. + * @param datum The level for which to get aliases. + * @param aliases Iterator of type char* returned; the caller is + * responsible for calling qpol_iterator_destroy to free + * memory used; it is important to note that the iterator is valid + * only as long as the policy is unchanged. If a level has no aliases, + * the iterator will be at end and have size 0. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *aliases will be NULL. + */ + extern int qpol_level_get_alias_iter(const qpol_policy_t * policy, const qpol_level_t * datum, qpol_iterator_t ** aliases); + +/* cat */ +/** + * Get the datum for a category by name. + * @param policy The policy from which to get the category. + * @param name The name of the category; searching is case sensitive. + * @param datum Pointer in which to store the datum; the caller should + * not free this pointer. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *datum will be NULL. + */ + extern int qpol_policy_get_cat_by_name(const qpol_policy_t * policy, const char *name, const qpol_cat_t ** datum); + +/** + * Get an iterator for the categories declared in a policy. + * @param policy The policy from which to create the iterator. + * @param iter Iterator of type qpol_cat_t* returned; + * the categories are in policy order. The caller is responsible + * for calling qpol_iterator_destroy to free the memory used; + * it is important to note that the iterator is only valid as + * long as the policy is unchanged. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_cat_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the integer value associated with a category. Values range + * from 1 to the number of categories declared in the policy. + * @param policy The policy associated with the category. + * @param datum The category for which to get the value. + * @param value Pointer to the integer to set to value. Must be non-NULL. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *value will be 0. + */ + extern int qpol_cat_get_value(const qpol_policy_t * policy, const qpol_cat_t * datum, uint32_t * value); + +/** + * Determine if a category is an alias for another category. + * @param policy The policy associated with the category. + * @param datum The category to check. + * @param isalias Pointer in which to store the alias state of the + * category; must be non-NULL. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *isalias will be 0 (false). + */ + extern int qpol_cat_get_isalias(const qpol_policy_t * policy, const qpol_cat_t * datum, unsigned char *isalias); + +/** + * Get the name which identifies a category from its datum. + * @param policy The policy associated with the category. + * @param datum The category from which to get the name. + * @param name Pointer in which to store the name. Must be non-NULL; + * the caller should not free the string. If the category is an alias + * the primary name will be returned. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *name will be NULL. + */ + extern int qpol_cat_get_name(const qpol_policy_t * policy, const qpol_cat_t * datum, const char **name); + +/** + * Get an iterator for the list of aliases for a category. + * @param policy The policy associated with the category. + * @param datum The category for which to get aliases. + * @param aliases Iterator of type char* returned; the caller is + * responsible for calling qpol_iterator_destroy to free + * memory used; it is important to note that the iterator is valid + * only as long as the policy is unchanged. If a category has no aliases, + * the iterator will be at end and have size 0. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *aliases will be NULL. + */ + extern int qpol_cat_get_alias_iter(const qpol_policy_t * policy, const qpol_cat_t * datum, qpol_iterator_t ** aliases); + +/* mls range */ +/** + * Get the low level from a MLS range. + * @param policy The policy associated with the MLS components of range. + * @param range The range from which to get the low level. + * @param level Pointer in which to store the level; the caller + * should not free this pointer. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *level will be NULL. + */ + extern int qpol_mls_range_get_low_level(const qpol_policy_t * policy, const qpol_mls_range_t * range, + const qpol_mls_level_t ** level); + +/** + * Get the high level from a MLS range. + * @param policy The policy associated with the MLS components of range. + * @param range The range from which to get the high level. + * @param level Pointer in which to store the level; the caller + * should not free this pointer. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *level will be NULL. + */ + extern int qpol_mls_range_get_high_level(const qpol_policy_t * policy, const qpol_mls_range_t * range, + const qpol_mls_level_t ** level); + +/* mls_level */ +/** + * Get the name of the sensitivity from a MLS level. + * @param policy The policy associated with the MLS components of level. + * @param level The level from which to get the sensitivity name. + * @param name Pointer in which to store the name; the caller + * should not free this string. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *name will be NULL. + */ + extern int qpol_mls_level_get_sens_name(const qpol_policy_t * policy, const qpol_mls_level_t * level, const char **name); + +/** + * Get an iterator for the categories in a MLS level. The list will be + * in policy order. + * @param policy The policy associated with the MLS components of level. + * @param level The level from which to get the categories. + * @param cats Iterator of type qpol_cat_t* returned; the list is in + * policy order. The caller is responsible for calling + * qpol_iterator_destroy to free memory used; it is important to note + * that an iterator is only valid as long as the policy is unchanged. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *cats will be NULL. + */ + extern int qpol_mls_level_get_cat_iter(const qpol_policy_t * policy, const qpol_mls_level_t * level, + qpol_iterator_t ** cats); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_MLS_QUERY_H */ diff --git a/libqpol/include/qpol/mlsrule_query.h b/libqpol/include/qpol/mlsrule_query.h new file mode 100644 index 0000000..5c4b832 --- /dev/null +++ b/libqpol/include/qpol/mlsrule_query.h @@ -0,0 +1,104 @@ +/** + * @file + * Defines the public interface for searching and iterating over + * range transition rules. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_MLSRULE_QUERY_H +#define QPOL_MLSRULE_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <qpol/policy.h> + + typedef struct qpol_range_trans qpol_range_trans_t; + +/** + * Get an iterator over all range transition rules in a policy. + * @param policy Policy from which to get the range transitions. + * @param iter Iterator over items of type qpol_range_trans_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long as + * the policy is unmodifed. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_range_trans_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the source type from a range transition rule. + * @param policy Policy from which the rule comes. + * @param rule The rule from which to get the source type. + * @param source Pointer in which to store the source type. + * The caller should not free this pointer. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *source will be NULL. + */ + extern int qpol_range_trans_get_source_type(const qpol_policy_t * policy, const qpol_range_trans_t * rule, + const qpol_type_t ** source); + +/** + * Get the target type from a range transition rule. + * @param policy Policy from which the rule comes. + * @param rule The rule from which to get the target type. + * @param target Pointer in which to store the target type. + * The caller should not free this pointer. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *target will be NULL. + */ + extern int qpol_range_trans_get_target_type(const qpol_policy_t * policy, const qpol_range_trans_t * rule, + const qpol_type_t ** target); + +/** + * Get the target class from a range transition rule. + * @param policy Policy from which the rule comes. + * @param rule The rule from which to get the target class. + * @param target Pointer in which to store the target class. + * The caller should not free this pointer. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *target will be NULL. + */ + extern int qpol_range_trans_get_target_class(const qpol_policy_t * policy, const qpol_range_trans_t * rule, + const qpol_class_t ** target); + +/** + * Get the range from a range transition rule. + * @param policy Policy from which the rule comes. + * @param rule The rule from which to get the range. + * @param range Pointer in which to store the range. + * The caller should not free this pointer. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *range will be NULL. + */ + extern int qpol_range_trans_get_range(const qpol_policy_t * policy, const qpol_range_trans_t * rule, + const qpol_mls_range_t ** range); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_MLSRULE_QUERY_H */ diff --git a/libqpol/include/qpol/module.h b/libqpol/include/qpol/module.h new file mode 100644 index 0000000..d684c40 --- /dev/null +++ b/libqpol/include/qpol/module.h @@ -0,0 +1,125 @@ +/** + * @file + * Defines the public interface the policy modules. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_MODULE_H +#define QPOL_MODULE_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stdint.h> + + typedef struct qpol_module qpol_module_t; + +#define QPOL_MODULE_UNKNOWN 0 +#define QPOL_MODULE_BASE 1 +#define QPOL_MODULE_OTHER 2 + +/** + * Create a qpol module from a policy package file. Newly created + * modules are enabled by default. + * @param path The file from which to read the module. This string + * will be duplicated. + * @param module Pointer in which to store the newly allocated + * module. The caller is responsible for calling qpol_module_destroy() + * to free memory used by this module. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *module will be NULL. + */ + extern int qpol_module_create_from_file(const char *path, qpol_module_t ** module); + +/** + * Free all memory used by a qpol module and set it to NULL. Does + * nothing if the pointer is already NULL. + * @param module Reference pointer to the module to destroy. + */ + extern void qpol_module_destroy(qpol_module_t ** module); + +/** + * Get the path of the policy package file used to create this module. + * @param module The module from which to get the path. + * @param path Pointer to the string in which to store the path. <b>The + * caller should not free this string.</b> + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *path will be NULL. + */ + extern int qpol_module_get_path(const qpol_module_t * module, const char **path); + +/** + * Get the name of a module. + * @param module The module from which to get the name. + * @param name Pointer to the string in which to store the name. <b>The + * caller should not free this string.</b> If the module is a base + * module the name will be NULL. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *name will be NULL. + */ + extern int qpol_module_get_name(const qpol_module_t * module, const char **name); + +/** + * Get the version of a module. + * @param module The module from which to get the version. + * @param version Pointer to string in which to store the version. <b>The + * caller should not free this string.</b> + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *version will be NULL. + */ + extern int qpol_module_get_version(const qpol_module_t * module, const char **version); + +/** + * Get the type of module (base or other). + * @param module The module from which to get the type. + * @param type Pointer to integer in which to store the type. Value + * will be one of QPOL_MODULE_BASE or QPOL_MODULE_OTHER. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *type will be QPOL_MODULE_UNKNOWN. + */ + extern int qpol_module_get_type(const qpol_module_t * module, int *type); + +/** + * Determine if a module is enabled. + * @param module The module from which to get the enabled state. + * @param enabled Pointer to integer in which to store the state. + * Value will be 0 if module is disabled and non-zero if enabled. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *enabled will be 0. + */ + extern int qpol_module_get_enabled(const qpol_module_t * module, int *enabled); + +/** + * Enable or disable a module. Note that the caller must still + * invoke qpol_policy_rebuild() to update the policy. + * @param module The module to enable or disable. + * @param enabled Non-zero to enable the module, zero to disable. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and the module will remain unchanged. + */ + extern int qpol_module_set_enabled(qpol_module_t * module, int enabled); +#ifdef __cplusplus +} +#endif + +#endif diff --git a/libqpol/include/qpol/netifcon_query.h b/libqpol/include/qpol/netifcon_query.h new file mode 100644 index 0000000..b35c914 --- /dev/null +++ b/libqpol/include/qpol/netifcon_query.h @@ -0,0 +1,104 @@ +/** + * @file + * Defines the public interface for searching and iterating over netifcon statements. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_NETIFCON_QUERY_H +#define QPOL_NETIFCON_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stddef.h> +#include <stdint.h> +#include <qpol/iterator.h> +#include <qpol/policy.h> + + typedef struct qpol_netifcon qpol_netifcon_t; + +/** + * Get a netifcon statement by interface name. + * @param policy The policy from which to get the netifcon statement. + * @param name The name of the interface. + * @param ocon Pointer in which to store the statement returned. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *ocon will be NULL. + */ + extern int qpol_policy_get_netifcon_by_name(const qpol_policy_t * policy, const char *name, const qpol_netifcon_t ** ocon); + +/** + * Get an iterator for the netifcon statements in a policy. + * @param policy The policy from which to create the iterator. + * @param iter Iterator over items of type qpol_netifcon_t returned. + * The caller is responsible for calling qpol_iterator_destroy + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long + * as the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_netifcon_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the name of the interface from a netifcon statement. + * @param policy The policy associated wiht the netifcon statement. + * @param ocon The netifcon statement from which to get the name. + * @param name Pointer in which to store the interface name. The caller + * should not free this string. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *name will be NULL. + */ + extern int qpol_netifcon_get_name(const qpol_policy_t * policy, const qpol_netifcon_t * ocon, const char **name); + +/** + * Get the message context from a netifcon statement. + * @param policy The policy associated with the netifcon statement. + * @param ocon The netifcon statement from which to get the message context. + * @parma context Pointer in which to store the context. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *context will be NULL. + */ + extern int qpol_netifcon_get_msg_con(const qpol_policy_t * policy, const qpol_netifcon_t * ocon, + const qpol_context_t ** context); + +/** + * Get the interface context from a netifcon statement. + * @param policy The policy associated with the netifcon statement. + * @param ocon The netifcon statement from which to get the interface context. + * @parma context Pointer in which to store the context. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *context will be NULL. + */ + extern int qpol_netifcon_get_if_con(const qpol_policy_t * policy, const qpol_netifcon_t * ocon, + const qpol_context_t ** context); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_NETIFCON_QUERY_H */ diff --git a/libqpol/include/qpol/nodecon_query.h b/libqpol/include/qpol/nodecon_query.h new file mode 100644 index 0000000..bd889f9 --- /dev/null +++ b/libqpol/include/qpol/nodecon_query.h @@ -0,0 +1,132 @@ +/** + * @file + * Defines the public interface for searching and iterating over nodecon statements. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_NODECON_QUERY_H +#define QPOL_NODECON_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stddef.h> +#include <stdint.h> +#include <qpol/iterator.h> +#include <qpol/policy.h> + +#define QPOL_IPV4 0 +#define QPOL_IPV6 1 + + typedef struct qpol_nodecon qpol_nodecon_t; + +/** + * Get a single nodecon statement by address, mask and protocol. + * @param policy The policy from which to get the nodecon statement. + * @param addr The IP address of the node, if IPv4 only addr[0] is used. + * @param mask The net mask of the node, if IPv4 only mask[0] is used. + * @param protocol The protocol used in the address and mask; + * set to QPOL_IPV4 for IPv4 and QPOL_IPV6 for IPv6. + * @param ocon Pointer in which to store the statement returned. + * The caller should call free() to free memory used by this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *ocon will be NULL. + */ + extern int qpol_policy_get_nodecon_by_node(const qpol_policy_t * policy, uint32_t addr[4], uint32_t mask[4], + unsigned char protocol, qpol_nodecon_t ** ocon); + +/** + * Get an iterator for the nodecon statements in a policy. + * @param policy The policy from which to create the iterator. + * @param iter Iterator over items of type qpol_nodecon_t returned. + * The caller is responsible for calling qpol_iterator_destroy + * to free memory used by this iterator. The caller must also call free() + * on items returned by qpol_iterator_get_item() when using this iterator. + * It is important to note that this iterator is only valid as long + * as the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_nodecon_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the IP address from a nodecon statement. Sets protocol to indicate + * the number of integers used by the array. + * @param policy The policy associated with the nodecon statement. + * @param ocon The nodecon statement from which to get the IP address. + * @param addr Pointer to the byte array of the IP addressto be set ; + * the caller should not free this pointer. The number of integers + * in this array is 1 if IPv4 and 4 if IPv6. + * @param protocol Pointer to be set to the protocol value; this + * will be set to QPOL_IPV4 for IPv4 and QPOL_IPV6 for IPv6. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set, addr will be NULL, and protocol will be 0. + */ + extern int qpol_nodecon_get_addr(const qpol_policy_t * policy, const qpol_nodecon_t * ocon, uint32_t ** addr, + unsigned char *protocol); + +/** + * Get the net mask from a nodecon statement. Sets protocol to indicate + * the number of integers used by the array. + * @param policy The policy associated with the nodecon statement. + * @param ocon The nodecon statement from which to get the net mask. + * @param mask Pointer to the byte array of the net mask to be set; + * the caller should not free this pointer. The number of integers + * in this array is 1 if IPv4 and 4 if IPv6. + * @param protocol Pointer to be set to the protocol value; this + * will be set to QPOL_IPV4 for IPv4 and QPOL_IPV6 for IPv6. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set, mask will be NULL, and protocol will be 0. + */ + extern int qpol_nodecon_get_mask(const qpol_policy_t * policy, const qpol_nodecon_t * ocon, uint32_t ** mask, + unsigned char *protocol); + +/** + * Get the protocol from a nodecon statement. + * @param policy The policy associated with the nodecon statement. + * @param ocon The nodecon statement from which to get the protocol. + * @param protocol Pointer to be set to the protocol value; this + * will be set to QPOL_IPV4 for IPv4 and QPOL_IPV6 for IPv6. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and protocol will be 0. + */ + extern int qpol_nodecon_get_protocol(const qpol_policy_t * policy, const qpol_nodecon_t * ocon, unsigned char *protocol); + +/** + * Get the context from a nodecon statement. + * @param policy The policy associated with the nodecon statement. + * @param ocon The nodecon statement from which to get the context. + * @param context Pointer in which to store the context. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *context will be NULL. + */ + extern int qpol_nodecon_get_context(const qpol_policy_t * policy, const qpol_nodecon_t * ocon, + const qpol_context_t ** context); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_NODECON_QUERY_H */ diff --git a/libqpol/include/qpol/permissive_query.h b/libqpol/include/qpol/permissive_query.h new file mode 100644 index 0000000..e49d508 --- /dev/null +++ b/libqpol/include/qpol/permissive_query.h @@ -0,0 +1,68 @@ +/** + * @file + * Defines the public interface for searching and iterating over the permissive types. + * + * @author Steve Lawrence slawrence@tresys.com + * + * Copyright (C) 2006-2009 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_PERMISSIVE_QUERY_H +#define QPOL_PERMISSIVE_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stddef.h> +#include <stdint.h> +#include <qpol/iterator.h> +#include <qpol/policy.h> + + typedef struct qpol_permissive qpol_permissive_t; + +/** + * Get an iterator for the permissive types in a policy. + * @param policy The policy from which to create the iterator. + * @param iter Iterator over items of type qpol_isid_t returned. + * The caller is responsible for calling qpol_iterator_destroy + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long + * as the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_permissive_iter(const qpol_policy_t *policy, qpol_iterator_t **iter); + + +/** + * Get the name which identifies a permissive type from its datum. + * @param policy The policy with which the permissive type is associated. + * @param datum Permissive datum for which to get the name. Must be non-NULL. + * @param name Pointer to the string in which to store the name. + * Must be non-NULL. The caller should not free the string. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *name will be NULL. + */ + extern int qpol_permissive_get_name(const qpol_policy_t *policy, const qpol_permissive_t *datum, const char **name); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_PERMISSIVE_QUERY_H */ diff --git a/libqpol/include/qpol/polcap_query.h b/libqpol/include/qpol/polcap_query.h new file mode 100644 index 0000000..d8de4a0 --- /dev/null +++ b/libqpol/include/qpol/polcap_query.h @@ -0,0 +1,68 @@ +/** + * @file + * Defines the public interface for searching and iterating over the policy capabilities + * + * @author Steve Lawrence slawrence@tresys.com + * + * Copyright (C) 2006-2009 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_POLCAP_QUERY_H +#define QPOL_POLCAP_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stddef.h> +#include <stdint.h> +#include <qpol/iterator.h> +#include <qpol/policy.h> + + typedef struct qpol_polcap qpol_polcap_t; + +/** + * Get an iterator for the policay capabilities in a policy. + * @param policy The policy from which to create the iterator. + * @param iter Iterator over items of type qpol_isid_t returned. + * The caller is responsible for calling qpol_iterator_destroy + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long + * as the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_polcap_iter(const qpol_policy_t *policy, qpol_iterator_t **iter); + + +/** + * Get the name which identifies a policy capability from its datum. + * @param policy The policy with which the policy capability is associated. + * @param datum Polcap datum for which to get the name. Must be non-NULL. + * @param name Pointer to the string in which to store the name. + * Must be non-NULL. The caller should not free the string. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *name will be NULL. + */ + extern int qpol_polcap_get_name(const qpol_policy_t *policy, const qpol_polcap_t *datum, const char **name); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_POLCAP_QUERY_H */ diff --git a/libqpol/include/qpol/policy.h b/libqpol/include/qpol/policy.h new file mode 100644 index 0000000..ae4ea08 --- /dev/null +++ b/libqpol/include/qpol/policy.h @@ -0,0 +1,261 @@ +/** + * @file + * Defines the public interface the QPol policy. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * @author Brandon Whalen bwhalen@tresys.com + * + * Copyright (C) 2006-2008 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_POLICY_H +#define QPOL_POLICY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stdarg.h> +#include <stdint.h> + + typedef struct qpol_policy qpol_policy_t; + +#include <qpol/avrule_query.h> +#include <qpol/bool_query.h> +#include <qpol/class_perm_query.h> +#include <qpol/cond_query.h> +#include <qpol/constraint_query.h> +#include <qpol/context_query.h> +#include <qpol/fs_use_query.h> +#include <qpol/isid_query.h> +#include <qpol/iterator.h> +#include <qpol/genfscon_query.h> +#include <qpol/mls_query.h> +#include <qpol/mlsrule_query.h> +#include <qpol/module.h> +#include <qpol/netifcon_query.h> +#include <qpol/nodecon_query.h> +#include <qpol/permissive_query.h> +#include <qpol/polcap_query.h> +#include <qpol/portcon_query.h> +#include <qpol/rbacrule_query.h> +#include <qpol/role_query.h> +#include <qpol/syn_rule_query.h> +#include <qpol/terule_query.h> +#include <qpol/type_query.h> +#include <qpol/user_query.h> + + typedef void (*qpol_callback_fn_t) (void *varg, const struct qpol_policy * policy, int level, const char *fmt, + va_list va_args); + +#define QPOL_POLICY_UNKNOWN -1 +#define QPOL_POLICY_KERNEL_SOURCE 0 +#define QPOL_POLICY_KERNEL_BINARY 1 +#define QPOL_POLICY_MODULE_BINARY 2 + +/** + * When loading the policy, do not load neverallow rules. + */ +#define QPOL_POLICY_OPTION_NO_NEVERALLOWS 0x00000001 + +/** + * When loading the policy, do not load any rules; + * this option implies QPOL_POLICY_OPTION_NO_NEVERALLOWS. + */ +#define QPOL_POLICY_OPTION_NO_RULES 0x00000002 + +/** + * When loading the policy, attempt to interpret it as the way the + * running system would. If the policy is of a version higher than + * one supported by the system, then the policy will be downgraded to + * the system's maximum value. + */ +#define QPOL_POLICY_OPTION_MATCH_SYSTEM 0x00000004 + +/** + * List of capabilities a policy may have. This list represents + * features of policy that may differ from version to version or + * based upon the format of the policy file. Note that "polcaps" in + * this case refers to "policy capabilities" that were introduced + * with version 22 policies. + */ + typedef enum qpol_capability + { + /** The policy format stores the names of attributes. */ + QPOL_CAP_ATTRIB_NAMES, + /** The policy format stores the syntactic rule type sets. */ + QPOL_CAP_SYN_RULES, + /** The policy format stores rule line numbers (implies QPOL_CAP_SYN_RULES). */ + QPOL_CAP_LINE_NUMBERS, + /** The policy version supports booleans and conditional statements. */ + QPOL_CAP_CONDITIONALS, + /** The policy version supports MLS components and statements. */ + QPOL_CAP_MLS, + /** The policy version has policy capabilities (polcaps). */ + QPOL_CAP_POLCAPS, + /** The policy format supports linking loadable modules. */ + QPOL_CAP_MODULES, + /** The policy was loaded with av/te rules. */ + QPOL_CAP_RULES_LOADED, + /** The policy source may be displayed. */ + QPOL_CAP_SOURCE, + /** The policy supports and was loaded with neverallow rules. */ + QPOL_CAP_NEVERALLOW + } qpol_capability_e; + +/** + * Open a policy from a passed in file path. + * @param filename The name of the file to open. + * @param policy The policy to populate. The caller should not free + * this pointer. + * @param fn (Optional) If non-NULL, the callback to be used by the handle. + * @param varg (Optional) The argument needed by the handle callback. + * @param options Options to control loading only portions of a policy; + * must be a bitwise-or'd set of QPOL_POLICY_OPTION_* from above. + * @return Returns one of QPOL_POLICY_KERNEL_SOURCE, + * QPOL_POLICY_KERNEL_BINARY, or QPOL_POLICY_MODULE_BINARY on success + * and < 0 on failure; if the call fails, errno will be set and + * *policy will be NULL. + */ + extern int qpol_policy_open_from_file(const char *filename, qpol_policy_t ** policy, qpol_callback_fn_t fn, void *varg, + const int options); + +/** + * Open a policy from a passed in file path but do not load any rules. + * @param filename The name of the file to open. + * @param policy The policy to populate. The caller should not free + * this pointer. + * @param fn (Optional) If non-NULL, the callback to be used by the handle. + * @param varg (Optional) The argument needed by the handle callback. + * @return Returns one of QPOL_POLICY_* above on success and < 0 on failure; + * if the call fails, errno will be set and *policy will be NULL. + * @deprecated use qpol_policy_open_from_file() with the option QPOL_POLICY_OPTION_NO_RULES instead. + */ + extern int qpol_policy_open_from_file_no_rules(const char *filename, qpol_policy_t ** policy, qpol_callback_fn_t fn, + void *varg) __attribute__ ((deprecated)); + +/** + * Open a policy from a passed in buffer. + * @param policy The policy to populate. The caller should not free + * this pointer. + * @param filedata The policy file stored in memory . + * @param size The size of filedata + * @param fn (Optional) If non-NULL, the callback to be used by the handle. + * @param varg (Optional) The argument needed by the handle callback. + * @param options Options to control loading only portions of a policy; + * must be a bitwise-or'd set of QPOL_POLICY_OPTION_* from above. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *policy will be NULL. + */ + extern int qpol_policy_open_from_memory(qpol_policy_t ** policy, const char *filedata, size_t size, qpol_callback_fn_t fn, + void *varg, const int options); + +/** + * Close a policy and deallocate its memory. Does nothing if it is + * already NULL. + * @param policy Reference to the policy to close. The pointer will + * be set to NULL afterwards. + */ + extern void qpol_policy_destroy(qpol_policy_t ** policy); + +/** + * Re-evaluate all conditionals in the policy updating the state + * and setting the appropriate rule list as emabled for each. + * This call modifies the policy. + * @param policy The policy for which to re-evaluate the conditionals. + * This policy will be modified by this function. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set. On failure, the policy state may be inconsistent. + */ + extern int qpol_policy_reevaluate_conds(qpol_policy_t * policy); + +/** + * Append a module to a policy. The policy now owns the module. + * Note that the caller must still invoke qpol_policy_rebuild() + * to update the policy. + * @param policy The policy to which to add the module. + * @param module The module to append. <b>The caller should not + * destroy this module if this function succeeds.</b> + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and both the policy and the module will + * remain unchanged. If the call fails, the caller is still + * responsible for calling qpol_module_destroy(). + */ + extern int qpol_policy_append_module(qpol_policy_t * policy, qpol_module_t * module); + +/** + * Rebuild the policy. If the options provided are the same as those + * provied to the last call to rebuild or open and the modules were not + * changed, this function does nothing; otherwise, re-link all enabled + * modules with the base and then call expand. If the syntactic rule + * table was previously built, the caller should call + * qpol_policy_build_syn_rule_table() after calling this function. + * @param policy The policy to rebuild. + * This policy will be altered by this function. + * @param options Options to control loading only portions of a policy; + * must be a bitwise-or'd set of QPOL_POLICY_OPTION_* from above. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and the policy will be reverted to its previous state. + */ + extern int qpol_policy_rebuild(qpol_policy_t * policy, const int options); + +/** + * Get an iterator of all modules in a policy. + * @param policy The policy from which to get the iterator. + * @param iter Iteraror of modules (of type qpol_module_t) returned. + * The caller should not destroy the modules returned by + * qpol_iterator_get_item(). + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_module_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the version number of the policy. + * @param policy The policy for which to get the version. + * @param version Pointer to the integer to set to the version number. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *version will be 0. + */ + extern int qpol_policy_get_policy_version(const qpol_policy_t * policy, unsigned int *version); + +/** + * Get the type of policy (source, binary, or module). + * @param policy The policy from which to get the type. + * @param type Pointer to the integer in which to store the type. + * Value will be one of QPOL_POLICY_* from above. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *type will be QPOL_POLICY_UNKNOWN. + */ + extern int qpol_policy_get_type(const qpol_policy_t * policy, int *type); + +/** + * Determine if a policy has support for a specific capability. + * @param policy The policy to check. + * @param cap The capability for which to check. Must be one of QPOL_CAP_* + * defined above. + * @return Non-zero if the policy has the specified capability, and zero otherwise. + */ + extern int qpol_policy_has_capability(const qpol_policy_t * policy, qpol_capability_e cap); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/libqpol/include/qpol/policy_extend.h b/libqpol/include/qpol/policy_extend.h new file mode 100644 index 0000000..1a06a93 --- /dev/null +++ b/libqpol/include/qpol/policy_extend.h @@ -0,0 +1,86 @@ +/** + * @file + * Public interface for loading and using an extended + * policy image. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_POLICY_EXTEND_H +#define QPOL_POLICY_EXTEND_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <qpol/policy.h> +#include <qpol/iterator.h> + +/** + * Build the table of syntactic rules for a policy. + * Subsequent calls to this function have no effect. + * @param policy The policy for which to build the table. + * This policy will be modified by this call. + * @return 0 on success and < 0 on error; if the call fails, + * errno will be set. + */ + extern int qpol_policy_build_syn_rule_table(qpol_policy_t * policy); + +/* forward declarations: see avrule_query.h and terule_query.h */ + struct qpol_avrule; + struct qpol_terule; + +/** + * Get an iterator over the syntactic rules contributing to an av rule. + * @param policy Policy associated with the rule. + * @param rule Rule from which to get the syntactic rules. + * @param iter Iterator over items of type qpol_syn_avrule_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long as + * the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_avrule_get_syn_avrule_iter(const qpol_policy_t * policy, const struct qpol_avrule *rule, + qpol_iterator_t ** iter); + +/** + * Get an iterator over the syntactic rules contributing to a type rule. + * @param policy Policy associated with the rule. + * @param rule Rule from which to get the syntactic rules. + * @param iter Iterator over items of type qpol_syn_terule_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long as + * the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_terule_get_syn_terule_iter(const qpol_policy_t * policy, const struct qpol_terule *rule, + qpol_iterator_t ** iter); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_POLICY_EXTEND_H */ diff --git a/libqpol/include/qpol/portcon_query.h b/libqpol/include/qpol/portcon_query.h new file mode 100644 index 0000000..63210fe --- /dev/null +++ b/libqpol/include/qpol/portcon_query.h @@ -0,0 +1,118 @@ +/** + * @file + * Defines the public interface for searching and iterating over portcon statements. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_PORTCON_QUERY_H +#define QPOL_PORTCON_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stddef.h> +#include <stdint.h> +#include <netinet/in.h> +#include <qpol/iterator.h> +#include <qpol/policy.h> + + typedef struct qpol_portcon qpol_portcon_t; + +/** + * Get a single portcon statement by port range and protocol. + * @param policy The policy from which to get the portcon statement. + * @param low The low port of the range of ports (or single port). + * @param high The high port of the range of ports; if searching for a + * single port, set high equal to low. + * @param protocol The protocol used in the portcon statement. + * Value should be one of IPPROTO_TCP or IPPROTO_UDP from netinet/in.h + * @param ocon Pointer in which to store the statement returned. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *ocon will be NULL. + */ + extern int qpol_policy_get_portcon_by_port(const qpol_policy_t * policy, uint16_t low, uint16_t high, uint8_t protocol, + const qpol_portcon_t ** ocon); + +/** + * Get an iterator for the portcon statements in a policy. + * @param policy The policy from which to create the iterator. + * @param iter Iterator over items of type qpol_portcon_t returned. + * The caller is responsible for calling qpol_iterator_destroy + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long + * as the policy is unmodified. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_portcon_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the protocol from a portcon statement. + * @param policy The policy associated with the portcon statement. + * @param ocon The portcon statement from which to get the protocol. + * @param protocol Pointer to set to the value of protocol. + * Value will be one of IPPROTO_TCP or IPPROTO_UDP from netinet/in.h + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *protocol will be 0; + */ + extern int qpol_portcon_get_protocol(const qpol_policy_t * policy, const qpol_portcon_t * ocon, uint8_t * protocol); + +/** + * Get the low port from a portcon statement. + * @param policy the policy associated with the portcon statement. + * @param ocon The portcon statement from which to get the low port. + * @param port Pointer to set to the port number. + * @return 0 on success < 0 on failure; if the call fails, + * errno will be set and *port will be 0. + */ + extern int qpol_portcon_get_low_port(const qpol_policy_t * policy, const qpol_portcon_t * ocon, uint16_t * port); + +/** + * Get the high port from a portcon statement. + * @param policy the policy associated with the portcon statement. + * @param ocon The portcon statement from which to get the high port. + * @param port Pointer to set to the port number. + * @return 0 on success < 0 on failure; if the call fails, + * errno will be set and *port will be 0. + */ + extern int qpol_portcon_get_high_port(const qpol_policy_t * policy, const qpol_portcon_t * ocon, uint16_t * port); + +/** + * Get the context from a portcon statement. + * @param policy the policy associated with the portcon statement. + * @param ocon The portcon statement from which to get the context. + * @param context Pointer in which to store the context. + * The caller should not free this pointer. + * @return 0 on success < 0 on failure; if the call fails, + * errno will be set and *context will be NULL. + */ + extern int qpol_portcon_get_context(const qpol_policy_t * policy, const qpol_portcon_t * ocon, + const qpol_context_t ** context); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_PORTCON_QUERY_H */ diff --git a/libqpol/include/qpol/rbacrule_query.h b/libqpol/include/qpol/rbacrule_query.h new file mode 100644 index 0000000..342e597 --- /dev/null +++ b/libqpol/include/qpol/rbacrule_query.h @@ -0,0 +1,130 @@ +/** + * @file + * Defines public interface for iterating over RBAC rules. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_RBACRULE_QUERY +#define QPOL_RBACRULE_QUERY + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <qpol/policy.h> +#include <qpol/iterator.h> + + typedef struct qpol_role_allow qpol_role_allow_t; + typedef struct qpol_role_trans qpol_role_trans_t; + +/** + * Get an iterator over all role allow rules in the policy. + * @param policy Policy from which to create the iterator. + * @param iter Iterator over items of type qpol_role_allow_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long as + * the policy is unmodifed. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_role_allow_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the source role from a role allow rule. + * @param policy The policy from which the rule comes. + * @param rule The rule from which to get the source role. + * @param source Pointer in which to store the source role. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *source will be NULL. + */ + extern int qpol_role_allow_get_source_role(const qpol_policy_t * policy, const qpol_role_allow_t * rule, + const qpol_role_t ** source); + +/** + * Get the target role from a role allow rule. + * @param policy The policy from which the rule comes. + * @param rule The rule from which to get the target role. + * @param target Pointer in which to store the target role. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *target will be NULL. + */ + extern int qpol_role_allow_get_target_role(const qpol_policy_t * policy, const qpol_role_allow_t * rule, + const qpol_role_t ** target); + +/** + * Get an iterator over all role transition rules in the policy. + * @param policy Policy from which to create the iterator. + * @param iter Iterator over items of type qpol_role_trans_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long as + * the policy is unmodifed. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_role_trans_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the source role from a role transition rule. + * @param policy The policy from which the rule comes. + * @param rule The rule from which to get the source role. + * @param source Pointer in which to store the source role. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *source will be NULL. + */ + extern int qpol_role_trans_get_source_role(const qpol_policy_t * policy, const qpol_role_trans_t * rule, + const qpol_role_t ** source); + +/** + * Get the target type from a role transition rule. + * @param policy The policy from which the rule comes. + * @param rule The rule from which to get the target type. + * @param target Pointer in which to store the target type. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *target will be NULL. + */ + extern int qpol_role_trans_get_target_type(const qpol_policy_t * policy, const qpol_role_trans_t * rule, + const qpol_type_t ** target); + +/** + * Get the default role from a role transition rule. + * @param policy The policy from which the rule comes. + * @param rule The rule from which to get the default role. + * @param dflt Pointer in which to store the default role. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *dflt will be NULL. + */ + extern int qpol_role_trans_get_default_role(const qpol_policy_t * policy, const qpol_role_trans_t * rule, + const qpol_role_t ** dflt); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_RBACRULE_QUERY */ diff --git a/libqpol/include/qpol/role_query.h b/libqpol/include/qpol/role_query.h new file mode 100644 index 0000000..c5739ab --- /dev/null +++ b/libqpol/include/qpol/role_query.h @@ -0,0 +1,119 @@ + /** + * @file + * Defines the public interface for searching and iterating over roles. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_ROLE_QUERY_H +#define QPOL_ROLE_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stddef.h> +#include <stdint.h> +#include <qpol/iterator.h> +#include <qpol/policy.h> + + typedef struct qpol_role qpol_role_t; + +/** + * Get the datum for a role by name. + * @param policy The policy from which to get the role. + * @param name The name of the role; searching is case sensitive. + * @param datum Pointer in which to store the role datum; the caller + * should not free this pointer. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *datum will be NULL. + */ + extern int qpol_policy_get_role_by_name(const qpol_policy_t * policy, const char *name, const qpol_role_t ** datum); + +/** + * Get an iterator for roles declared in the policy. + * @param policy The policy with which to create the iterator. + * @param iter Iterator of type qpol_role_t* returned; + * the caller is responsible for calling qpol_iterator_destroy to + * free memory used; it is important to note that the iterator + * is valid only as long as the policy is unchanged. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_role_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the integer value associated with a role; values range from + * 1 to the number of declared roles. + * @param policy The policy associated with the role. + * @param datum The role from which to get the value. + * @param value Pointer to the integer to set to value. Must be non-NULL. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and value will be 0. + */ + extern int qpol_role_get_value(const qpol_policy_t * policy, const qpol_role_t * datum, uint32_t * value); + +/** + * Get an iterator for the set of roles dominated by a role. + * @param policy The policy associated with the role. + * @param datum The role from which to get the dominated roles. + * @param dominates Iterator of type qpol_role_t* returned; + * the caller is responsible for calling qpol_iterator_destroy to + * free memory used; it is important to note that the iterator is + * valid only as long as the policy is unchanged. Note: By + * convention a role always dominates itself, so the user of this + * iterator should always check for this case. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *dominates will be NULL. + */ + extern int qpol_role_get_dominate_iter(const qpol_policy_t * policy, const qpol_role_t * datum, + qpol_iterator_t ** dominates); + +/** + * Get an iterator for the set of types assigned to a role. + * @param policy The policy associated with the role. + * @param datum The role from which to get the types. + * @param types Iterator of type qpol_type_t* returned; + * the caller is responsible for calling qpol_iterator_destroy to + * free memory used; it is important to note that the iterator + * is valid only as long as the policy is unchanged. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and types will be NULL. + */ + extern int qpol_role_get_type_iter(const qpol_policy_t * policy, const qpol_role_t * datum, qpol_iterator_t ** types); + +/** + * Get the name by which a role is identified from its datum. + * @param policy The policy associated with the role. + * @param datum The role for which to get the name. + * @param name Pointer in which to store the name; the caller + * should not free this string. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *name will be NULL. + */ + extern int qpol_role_get_name(const qpol_policy_t * policy, const qpol_role_t * datum, const char **name); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_ROLE_QUERY_H */ diff --git a/libqpol/include/qpol/syn_rule_query.h b/libqpol/include/qpol/syn_rule_query.h new file mode 100644 index 0000000..446efbb --- /dev/null +++ b/libqpol/include/qpol/syn_rule_query.h @@ -0,0 +1,314 @@ +/** + * @file + * Public interface for querying syntactic rules from the extended + * policy image. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_SYN_RULE_QUERY_H +#define QPOL_SYN_RULE_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <qpol/policy.h> +#include <qpol/cond_query.h> +#include <qpol/iterator.h> +#include <stdint.h> + + typedef struct qpol_type_set qpol_type_set_t; + typedef struct qpol_syn_avrule qpol_syn_avrule_t; + typedef struct qpol_syn_terule qpol_syn_terule_t; + +/** + * Get an iterator of the included types in a type set. + * @param policy Policy associated with the type set. + * @param ts Type set from which to get the included types. + * @param iter Iterator over items of type qpol_type_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long as + * the policy is unmodifed. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_type_set_get_included_types_iter(const qpol_policy_t * policy, const qpol_type_set_t * ts, + qpol_iterator_t ** iter); + +/** + * Get an iterator of the subtracted types in a type set. + * @param policy Policy associated with the type set. + * @param ts Type set from which to get the subtracted types. + * @param iter Iterator over items of type qpol_type_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long as + * the policy is unmodifed. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_type_set_get_subtracted_types_iter(const qpol_policy_t * policy, const qpol_type_set_t * ts, + qpol_iterator_t ** iter); + +/** + * Determine if a type set includes '*'. + * @param policy Policy associated with the type set. + * @param ts Type set to check for '*'. + * @param is_star Pointer to integer to set. + * Will be set to 1 if ts contains '*' or 0 otherwise. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *is_star will be 0. + */ + extern int qpol_type_set_get_is_star(const qpol_policy_t * policy, const qpol_type_set_t * ts, uint32_t * is_star); + +/** + * Determine if a type set is complemented (contains '~'). + * @param policy Policy associated with the type set. + * @param ts Type set to check for complement. + * @param is_comp Pointer to integer to set. + * Will be set to 1 if ts is complemented or 0 otherwise. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *is_comp will be 0. + */ + extern int qpol_type_set_get_is_comp(const qpol_policy_t * policy, const qpol_type_set_t * ts, uint32_t * is_comp); + +/** + * Get the rule type of a syntactic avrule. + * @param policy Policy associated with the rule. + * @param rule Avrule from which to get the type. + * @param rule_type Pointer to integer to set. + * Will be one of QPOL_RULE_* (see qpol/avrule_query.h). + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *rule_type will be 0. + */ + extern int qpol_syn_avrule_get_rule_type(const qpol_policy_t * policy, const qpol_syn_avrule_t * rule, + uint32_t * rule_type); + +/** + * Get the set of types specified for a syntatic rule's source field. + * @param policy Policy associated with the rule. + * @param rule Avrule from which to get the source type set. + * @param source_set Type set returned; the caller <b>should not</b> + * free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *source_set will be NULL. + */ + extern int qpol_syn_avrule_get_source_type_set(const qpol_policy_t * policy, const qpol_syn_avrule_t * rule, + const qpol_type_set_t ** source_set); + +/** + * Get the set of types specified for a syntactic rule's target field. + * @param policy Policy associated with the rule. + * @param rule Avrule from which to get the target type set. + * @param target_set Type set returned; the caller <b>should not</b> + * free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *target_set will be NULL. + */ + extern int qpol_syn_avrule_get_target_type_set(const qpol_policy_t * policy, const qpol_syn_avrule_t * rule, + const qpol_type_set_t ** target_set); + +/** + * Determine if a syntactic rule includes the self flag in the target set. + * @param policy Policy associated with the rule. + * @param rule Avrule to check for the self flag. + * @param is_self Pointer to the integer to set; if the rule includes self, + * this will be set to 1, otherwise it will be set to 0. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *is_self will be 0. + */ + extern int qpol_syn_avrule_get_is_target_self(const qpol_policy_t * policy, const qpol_syn_avrule_t * rule, + uint32_t * is_self); + +/** + * Get an iterator over all classes specified in a syntactic rule. + * @param policy Policy associated with the rule. + * @param rule The rule from which to get the classes. + * @param classes Iterator over items of type qpol_class_t* returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long as + * the policy is unmodifed. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *classes will be NULL. + */ + extern int qpol_syn_avrule_get_class_iter(const qpol_policy_t * policy, const qpol_syn_avrule_t * rule, + qpol_iterator_t ** classes); + +/** + * Get an iterator over all permissions specified in a syntactic rule. + * @param policy Policy associated with the + * @param rule The rule from which to get the permissions. + * @param perms Iterator over items of type char* returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long as + * the policy is unmodifed. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *perms will be NULL. + */ + extern int qpol_syn_avrule_get_perm_iter(const qpol_policy_t * policy, const qpol_syn_avrule_t * rule, + qpol_iterator_t ** perms); + +/** + * Get the line number of a syntactic rule. + * @param policy Policy associated with the rule + * @param rule The rule for which to get the line number. + * @param lineno Pointer to set to the line number. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *lineno will be 0. + */ + extern int qpol_syn_avrule_get_lineno(const qpol_policy_t * policy, const qpol_syn_avrule_t * rule, unsigned long *lineno); + +/** + * If the syntactic rule is within a conditional, then get that + * conditional and assign it to cond. Otherwise assign to cond NULL. + * @param policy Policy associated with the rule. + * @param rule The rule for which to get the conditional. + * @param cond Reference pointer to this rule's conditional + * expression, or NULL if the rule is unconditional. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *lineno will be 0. + */ + extern int qpol_syn_avrule_get_cond(const qpol_policy_t * policy, const qpol_syn_avrule_t * rule, + const qpol_cond_t ** cond); + +/** + * Determine if the syntactic rule is enabled. Unconditional rules + * are always enabled. + * @param policy Policy associated with the rule. + * @param rule The rule for which to get the conditional. + * @param is_enabled Integer in which to store the result: set to 1 + * if enabled and 0 otherwise. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *lineno will be 0. + */ + extern int qpol_syn_avrule_get_is_enabled(const qpol_policy_t * policy, const qpol_syn_avrule_t * rule, + uint32_t * is_enabled); + +/** + * Get the rule type of a syntactic terule. + * @param policy Policy associated with the rule. + * @param rule Terule from which to get the type. + * @param rule_type Pointer to integer to set. + * Will be one of QPOL_RULE_TYPE_* (see qpol/terule_query.h). + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *rule_type will be 0. + */ + extern int qpol_syn_terule_get_rule_type(const qpol_policy_t * policy, const qpol_syn_terule_t * rule, + uint32_t * rule_type); + +/** + * Bet the set of types specified for a syntactic rule's source field. + * @param policy Policy associated with the rule. + * @param rule Terule from which to get the source type set. + * @param source_set Type set returned; the caller <b>shoule not</b> + * free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *source_set will be NULL. + */ + extern int qpol_syn_terule_get_source_type_set(const qpol_policy_t * policy, const qpol_syn_terule_t * rule, + const qpol_type_set_t ** source_set); + +/** + * Get the set of types specified for a syntactic rule's target field. + * @param policy Policy associated with the rule. + * @param rule Terule from which to get the target types et. + * @param target_set Type set returned; ther caller <b>should not</b> + * free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *target_set will be NULL. + */ + extern int qpol_syn_terule_get_target_type_set(const qpol_policy_t * policy, const qpol_syn_terule_t * rule, + const qpol_type_set_t ** target_set); + +/** + * Get an iterator over all classes specified in a syntactic rule. + * @param policy Policy associated with the rule. + * @param rule The rule from which to get the classes. + * @param classes Iterator over items of type qpol_class_t* returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long as + * the policy is unmodifed. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *classes will be NULL. + */ + extern int qpol_syn_terule_get_class_iter(const qpol_policy_t * policy, const qpol_syn_terule_t * rule, + qpol_iterator_t ** classes); + +/* forward declaration */ + struct qpol_type; + +/** + * Get the default type of a syntactic terule. + * @param policy Policy associated with the rule. + * @param rule Terule from which to et the default type. + * @param dflt Reference pointer to the type to return. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *dflt will be NULL. + */ + extern int qpol_syn_terule_get_default_type(const qpol_policy_t * policy, const qpol_syn_terule_t * rule, + const struct qpol_type **dflt); + +/** + * Get the line number of a syntactic rule. + * @param policy Policy associated with the rule. + * @param rule The rule for which to get the line number. + * @param lineno Pointer to set to the line number. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *lineno will be 0. + */ + extern int qpol_syn_terule_get_lineno(const qpol_policy_t * policy, const qpol_syn_terule_t * rule, unsigned long *lineno); + +/** + * If the syntactic rule is within a conditional, then get that + * conditional and assign it to cond. Otherwise assign to cond NULL. + * @param policy Policy associated with the rule. + * @param rule The rule for which to get the conditional. + * @param cond Reference pointer to this rule's conditional + * expression, or NULL if the rule is unconditional. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *lineno will be 0. + */ + extern int qpol_syn_terule_get_cond(const qpol_policy_t * policy, const qpol_syn_terule_t * rule, + const qpol_cond_t ** cond); + +/** + * Determine if the syntactic rule is enabled. Unconditional rules + * are always enabled. + * @param policy Policy associated with the rule. + * @param rule The rule for which to get the conditional. + * @param is_enabled Integer in which to store the result: set to 1 + * if enabled and 0 otherwise. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *lineno will be 0. + */ + extern int qpol_syn_terule_get_is_enabled(const qpol_policy_t * policy, const qpol_syn_terule_t * rule, + uint32_t * is_enabled); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_SYN_RULE_QUERY_H */ diff --git a/libqpol/include/qpol/terule_query.h b/libqpol/include/qpol/terule_query.h new file mode 100644 index 0000000..0006d1a --- /dev/null +++ b/libqpol/include/qpol/terule_query.h @@ -0,0 +1,159 @@ +/** + * @file + * Defines the public interface for searching and iterating over type rules. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_TERULE_QUERY_H +#define QPOL_TERULE_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <qpol/policy.h> +#include <qpol/cond_query.h> + + typedef struct qpol_terule qpol_terule_t; + +/* rule type defines (values copied from "sepol/policydb/policydb.h") */ +#define QPOL_RULE_TYPE_TRANS 16 +#define QPOL_RULE_TYPE_CHANGE 64 +#define QPOL_RULE_TYPE_MEMBER 32 + +/** + * Get an iterator over all type rules in a policy of a rule type in + * rule_type_mask. It is an error to call this function if rules are not + * loaded. + * @param policy Policy from which to get the av rules. + * @param rule_type_mask Bitwise or'ed set of QPOL_RULE_TYPE_* values. + * It is an error to specify any other values of QPOL_RULE_* in the mask. + * @param iter Iterator over items of type qpol_terule_t returned. + * The caller is responsible for calling qpol_iterator_destroy() + * to free memory used by this iterator. + * It is important to note that this iterator is only valid as long as + * the policy is unmodifed. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_terule_iter(const qpol_policy_t * policy, uint32_t rule_type_mask, qpol_iterator_t ** iter); + +/** + * Get the source type from a type rule. + * @param policy Policy from which the rule comes. + * @param rule The rule from which to get the source type. + * @param source Pointer in which to store the source type. + * The caller should not free this pointer. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *source will be NULL. + */ + extern int qpol_terule_get_source_type(const qpol_policy_t * policy, const qpol_terule_t * rule, + const qpol_type_t ** source); + +/** + * Get the target type from a type rule. + * @param policy Policy from which the rule comes. + * @param rule The rule from which to get the target type. + * @param target Pointer in which to store the target type. + * The caller should not free this pointer. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *target will be NULL. + */ + extern int qpol_terule_get_target_type(const qpol_policy_t * policy, const qpol_terule_t * rule, + const qpol_type_t ** target); + +/** + * Get the object class from a type rule. + * @param policy Policy from which the rule comes. + * @param rule The rule from which to get the object class. + * @param obj_class Pointer in which to store the object class. + * The caller should not free this pointer. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *obj_class will be NULL. + */ + extern int qpol_terule_get_object_class(const qpol_policy_t * policy, const qpol_terule_t * rule, + const qpol_class_t ** obj_class); + +/** + * Get the default type from a type rule. + * @param policy Policy from which the rule comes. + * @param rule The rule from which to get the default type. + * @param dflt Pointer in which to store the default type. + * The caller should not free this pointer. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *dflt will be NULL. + */ + extern int qpol_terule_get_default_type(const qpol_policy_t * policy, const qpol_terule_t * rule, + const qpol_type_t ** dflt); + +/** + * Get the rule type value for a type rule. + * @param policy Policy from which the rule comes. + * @param rule The rule from which to get the rule type. + * @param rule_type Integer in which to store the rule type value. + * The value will be one of the QPOL_RULE_* values above. + * @returm 0 on success and < 0 on failure; if the call fails, + * errno will be set and *rule_type will be 0. + */ + extern int qpol_terule_get_rule_type(const qpol_policy_t * policy, const qpol_terule_t * rule, uint32_t * rule_type); + +/** + * Get the conditional from which a type rule comes. If the rule + * is not a conditional rule *cond is set to NULL. + * @param policy Policy from which the rule comes. + * @param rule The rule from which to get the conditional. + * @param cond The conditional returned. (NULL if rule is not conditional) + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *cond will be NULL. If the rule is not conditional + * *cond is set to NULL and the function is considered successful. + */ + extern int qpol_terule_get_cond(const qpol_policy_t * policy, const qpol_terule_t * rule, const qpol_cond_t ** cond); + +/** + * Determine if a rule is enabled. Unconditional rules are always enabled. + * @param policy Policy from which the rule comes. + * @param rule The rule to check. + * @param is_enabled Integer in which to store the result: set to 1 if enabled + * and 0 otherwise. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *is_enabled will be 0. + */ + extern int qpol_terule_get_is_enabled(const qpol_policy_t * policy, const qpol_terule_t * rule, uint32_t * is_enabled); + +/** + * Get the list (true or false) in which a conditional rule is. It is + * an error to call this function for an unconditional rule. + * @param policy Policy from which the rule comes. + * @param rule The rule to check. + * @param which_list Integer in which to store the result: set to 1 if + * rule is in the true list or 0 if in the false list. + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *which_list will be 0. + */ + extern int qpol_terule_get_which_list(const qpol_policy_t * policy, const qpol_terule_t * rule, uint32_t * which_list); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/libqpol/include/qpol/type_query.h b/libqpol/include/qpol/type_query.h new file mode 100644 index 0000000..9537f25 --- /dev/null +++ b/libqpol/include/qpol/type_query.h @@ -0,0 +1,175 @@ + /** + * @file + * Defines the public interface for searching and iterating over types. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2008 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_TYPE_QUERY_H +#define QPOL_TYPE_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stddef.h> +#include <stdint.h> +#include <qpol/iterator.h> +#include <qpol/policy.h> + + typedef struct qpol_type qpol_type_t; + +/** + * Get the datum for a type by name. + * @param policy The policy from which to get the type. + * @param name The name of the type; searching is case sensitive. + * @param datum Pointer in which to store the type datum; the caller + * should not free this pointer. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *datum will be NULL. + */ + extern int qpol_policy_get_type_by_name(const qpol_policy_t * policy, const char *name, const qpol_type_t ** datum); + +/** + * Get an iterator for types (including attributes and aliases) + * declared in the policy. + * @param policy The policy from which to create the iterator. + * @param iter Iterator of type qpol_type_t* returned; + * the caller is responsible for calling qpol_iterator_destroy to + * free memory used; it is important to note that the iterator is + * valid only as long as the policy is unchanged. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_type_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the integer value associated with a type. Values range from 1 + * to the number of types declared in the policy. + * @param policy The policy associated with the type. + * @param datum The type from which to get the value. + * @param value Pointer to the integer in which to store value. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and value will be 0. + */ + extern int qpol_type_get_value(const qpol_policy_t * policy, const qpol_type_t * datum, uint32_t * value); + +/** + * Determine whether a given type is an alias for another type. + * @param policy The policy associated with the type. + * @param datum The type to check. + * @param isalias Pointer to be set to 1 (true) if the type is an alias + * and 0 (false) otherwise. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *isalias will be 0 (false). + */ + extern int qpol_type_get_isalias(const qpol_policy_t * policy, const qpol_type_t * datum, unsigned char *isalias); + +/** + * Determine whether a given type is an attribute. + * @param policy The policy associated with the type. + * @param datum The type to check. + * @param isattr Pointer to be set to 1 (true) if the type is an + * attribute and 0 (false) otherwise. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *isattr will be 0 (false). + */ + extern int qpol_type_get_isattr(const qpol_policy_t * policy, const qpol_type_t * datum, unsigned char *isattr); + +/** + * Determine whether a given type has been marked as enforcing + * (default) or as permissive. If the policy does not support + * permissive types, then all types are enforcing. Attributes are + * always enforcing. + * + * @param policy The policy associated with the type. + * @param datum The type to check. + * @param ispermissive Pointer to be set to 1 (true) if the type is + * permissive and 0 (false) otherwise. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *ispermissive will be 0 (false). + */ + extern int qpol_type_get_ispermissive(const qpol_policy_t * policy, const qpol_type_t * datum, unsigned char *ispermissive); + +/** + * Get an iterator for the list of types in an attribute. + * @param policy The policy associated with the attribute. + * @param datum The attribute from which to get the types. + * @param types Iterator of type qpol_type_t* returned; + * the caller is responsible for calling qpol_iterator_destroy to + * free memory used; it is important to note that the iterator is + * valid only as long as the policy is unchanged. + * @return Returns 0 on success, > 0 if the type is not an attribute + * and < 0 on failure; if the call fails, errno will be set and + * *types will be NULL. If the type is not an attribute *types will + * be NULL. + */ + extern int qpol_type_get_type_iter(const qpol_policy_t * policy, const qpol_type_t * datum, qpol_iterator_t ** types); + +/** + * Get an iterator for the list of attributes given to a type. + * @param policy The policy associated with the type. + * @param datum The type for which to get the attributes. + * @param attrs Iterator of type qpol_type_t* returned; + * the caller is responsible for calling qpol_iterator_destroy to + * free memory used; it is important to note that the iterator is + * valid only as long as the policy is unchanged. + * @return Returns 0 on success, > 0 if the type is an attribute + * and < 0 on failure; if the call fails, errno will be set and + * *types will be NULL. If the type is an attribute *types will + * be NULL. + */ + extern int qpol_type_get_attr_iter(const qpol_policy_t * policy, const qpol_type_t * datum, qpol_iterator_t ** attrs); + +/** + * Get the name by which a type is identified from its datum. + * @param policy The policy associated with the type. + * @param datum The type for which to get the name. + * @param name Pointer in which to store the name; the caller + * should not free the string. If the type is an alias then the + * primary name will be returned. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *name will be NULL. + */ + extern int qpol_type_get_name(const qpol_policy_t * policy, const qpol_type_t * datum, const char **name); + +/** + * Get an iterator for the list of aliases for a type. If the given + * type is an alias, this returns an iterator of its primary type's + * aliases. + * @param policy The policy associated with the type. + * @param datum The type for which to get aliases. + * @param aliases Iterator of type char* returned; the caller is + * responsible for calling qpol_iterator_destroy to free + * memory used; it is important to note that the iterator is valid + * only as long as the policy is unchanged. If a type has no aliases, + * the iterator will be at end and have size 0. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *aliases will be NULL. + */ + extern int qpol_type_get_alias_iter(const qpol_policy_t * policy, const qpol_type_t * datum, qpol_iterator_t ** aliases); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_TYPE_QUERY_H */ diff --git a/libqpol/include/qpol/user_query.h b/libqpol/include/qpol/user_query.h new file mode 100644 index 0000000..be6322d --- /dev/null +++ b/libqpol/include/qpol/user_query.h @@ -0,0 +1,130 @@ +/** + * @file + * Defines the public interface for searching and iterating over users. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_USER_QUERY_H +#define QPOL_USER_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stddef.h> +#include <stdint.h> +#include <qpol/iterator.h> +#include <qpol/policy.h> +#include <qpol/mls_query.h> + + typedef struct qpol_user qpol_user_t; + +/** + * Get the datum for a user by name. + * @param policy The policy from which to get the user. + * @param name The name of the user; searching is case sensitive. + * @param datum Pointer in which to store the user datum; the caller + * should not free this pointer. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and and *datum will be NULL. + */ + extern int qpol_policy_get_user_by_name(const qpol_policy_t * policy, const char *name, const qpol_user_t ** datum); + +/** + * Get an iterator for users declared in the policy. + * @param policy The policy from which to create the iterator. + * @param iter Iterator of type qpol_user_t* returned; + * the caller is responsible for calling qpol_iterator_destroy to + * free memory used; it is important to note that the iterator is + * valid only as long as the policy is unchanged. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *iter will be NULL. + */ + extern int qpol_policy_get_user_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); + +/** + * Get the integer value associated with a user. Values range from 1 to + * the number of users declared in the policy. + * @param policy The policy associate with the user. + * @param datum The user from which to get the value. + * @param value Pointer to the integer to set to value. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and value will be 0. + */ + extern int qpol_user_get_value(const qpol_policy_t * policy, const qpol_user_t * datum, uint32_t * value); + +/** + * Get an iterator for the set of roles assigned to a user. + * @param policy The policy associated with the user. + * @param datum The user from which to get the roles. + * @param roles Iterator of type qpol_role_t* returned; + * the caller is responsible for calling qpol_iterator_destroy to + * free memory used; it is important to note that the iterator is + * valid only as long as the policy is unchanged. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *roles will be NULL. + */ + extern int qpol_user_get_role_iter(const qpol_policy_t * policy, const qpol_user_t * datum, qpol_iterator_t ** roles); + +/** + * Get the allowed MLS range of a user. If the policy is not MLS + * then the returned level will be NULL. + * @param policy The policy associated with the user. + * @param datum The user from which to get the range. + * @param range Pointer in which to store the range. If the policy + * is not MLS then NULL will be assigned to the pointer. The caller + * should not free this pointer. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *range will be NULL. + */ + extern int qpol_user_get_range(const qpol_policy_t * policy, const qpol_user_t * datum, const qpol_mls_range_t ** range); + +/** + * Get the default level for a user. If the policy is not MLS then + * the returned level will be NULL. + * @param policy The policy associated with the user. + * @param datum The user from which to get the level. + * @param level Pointer in which to store the level. If the policy + * is not MLS then NULL will be assigned to the pointer. The caller + * should not free this pointer. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *level will be NULL. + */ + extern int qpol_user_get_dfltlevel(const qpol_policy_t * policy, const qpol_user_t * datum, + const qpol_mls_level_t ** level); + +/** + * Get the name which identifies a user from its datum. + * @param policy The policy associated with the user. + * @param datum The user for which to get the name. + * @param name Pointer in which to store the name; the caller + * should not free this string. + * @return Returns 0 on success and < 0 on failure; if the call fails, + * errno will be set and *name will be NULL. + */ + extern int qpol_user_get_name(const qpol_policy_t * policy, const qpol_user_t * datum, const char **name); + +#ifdef __cplusplus +} +#endif + +#endif /* QPOL_USER_QUERY_H */ diff --git a/libqpol/include/qpol/util.h b/libqpol/include/qpol/util.h new file mode 100644 index 0000000..f779c8e --- /dev/null +++ b/libqpol/include/qpol/util.h @@ -0,0 +1,61 @@ +/** + * @file + * + * Miscellaneous, uncategorized functions for libqpol. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef QPOL_UTIL_H +#define QPOL_UTIL_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +/** + * Return an immutable string describing this library's version. + * + * @return String describing this library. + */ + extern const char *libqpol_get_version(void); + +/** + * Find the "default" policy file on the currently running system. + * First try looking for a monolithic source policy; if that does not + * exist then try a monolithic binary policy. + * + * @param path Buffer to store the policy's path. The caller is + * responsible for free()ing this string. + * + * @return 0 if a policy was found, > 0 if not, < 0 upon error. + */ + extern int qpol_default_policy_find(char **path); + +/* bunzip() a file to '*data', returning the total number of uncompressed bytes + * in the file. Returns -1 if file could not be decompressed. */ + extern ssize_t qpol_bunzip(FILE *f, char **data); + +#ifdef __cplusplus +} +#endif + +#endif |