diff options
Diffstat (limited to 'libpoldiff/include/poldiff')
| -rw-r--r-- | libpoldiff/include/poldiff/Makefile.am | 20 | ||||
| -rw-r--r-- | libpoldiff/include/poldiff/attrib_diff.h | 130 | ||||
| -rw-r--r-- | libpoldiff/include/poldiff/avrule_diff.h | 361 | ||||
| -rw-r--r-- | libpoldiff/include/poldiff/bool_diff.h | 146 | ||||
| -rw-r--r-- | libpoldiff/include/poldiff/cat_diff.h | 103 | ||||
| -rw-r--r-- | libpoldiff/include/poldiff/class_diff.h | 222 | ||||
| -rw-r--r-- | libpoldiff/include/poldiff/component_record.h | 159 | ||||
| -rw-r--r-- | libpoldiff/include/poldiff/level_diff.h | 159 | ||||
| -rw-r--r-- | libpoldiff/include/poldiff/poldiff.h | 218 | ||||
| -rw-r--r-- | libpoldiff/include/poldiff/range_diff.h | 129 | ||||
| -rw-r--r-- | libpoldiff/include/poldiff/range_trans_diff.h | 140 | ||||
| -rw-r--r-- | libpoldiff/include/poldiff/rbac_diff.h | 251 | ||||
| -rw-r--r-- | libpoldiff/include/poldiff/role_diff.h | 127 | ||||
| -rw-r--r-- | libpoldiff/include/poldiff/terule_diff.h | 262 | ||||
| -rw-r--r-- | libpoldiff/include/poldiff/type_diff.h | 132 | ||||
| -rw-r--r-- | libpoldiff/include/poldiff/type_map.h | 153 | ||||
| -rw-r--r-- | libpoldiff/include/poldiff/user_diff.h | 191 | ||||
| -rw-r--r-- | libpoldiff/include/poldiff/util.h | 45 |
18 files changed, 2948 insertions, 0 deletions
diff --git a/libpoldiff/include/poldiff/Makefile.am b/libpoldiff/include/poldiff/Makefile.am new file mode 100644 index 0000000..7c5a42c --- /dev/null +++ b/libpoldiff/include/poldiff/Makefile.am @@ -0,0 +1,20 @@ +poldiffdir = $(includedir)/poldiff + +poldiff_HEADERS = \ + poldiff.h \ + attrib_diff.h \ + avrule_diff.h \ + bool_diff.h \ + cat_diff.h \ + class_diff.h \ + component_record.h \ + level_diff.h \ + range_diff.h \ + range_trans_diff.h \ + rbac_diff.h \ + role_diff.h \ + terule_diff.h \ + user_diff.h \ + type_diff.h \ + type_map.h \ + util.h diff --git a/libpoldiff/include/poldiff/attrib_diff.h b/libpoldiff/include/poldiff/attrib_diff.h new file mode 100644 index 0000000..27d1f12 --- /dev/null +++ b/libpoldiff/include/poldiff/attrib_diff.h @@ -0,0 +1,130 @@ +/** + * @file + * Public interface for computing semantic differences in attributes. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef POLDIFF_ATTRIB_DIFF_H +#define POLDIFF_ATTRIB_DIFF_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <apol/vector.h> +#include <poldiff/poldiff.h> + + typedef struct poldiff_attrib poldiff_attrib_t; + +/** + * Get an array of statistics for the number of differences of each + * form for attributes. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_attrib_get_stats(const poldiff_t * diff, size_t stats[5]); + +/** + * Get the vector of attribute differences from the attribute + * difference summary. + * + * @param diff The policy difference structure associated with the + * attribute difference summary. + * + * @return A vector of elements of type poldiff_attrib_t, or NULL on + * error. The caller should <b>not</b> destroy the vector + * returned. If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_attrib_vector(const poldiff_t * diff); + +/** + * Obtain a newly allocated string representation of a difference in + * a attribute. + * + * @param diff The policy difference structure associated with the + * attribute. + * @param attrib The attribute from which to generate the string. + * + * @return A string representation of attribute difference; the + * caller is responsible for free()ing this string. On error, return + * NULL and set errno. + */ + extern char *poldiff_attrib_to_string(const poldiff_t * diff, const void *attrib); + +/** + * Get the name of the attribute from an attribute diff. + * + * @param attrib The attribute from which to get the name. + * + * @return Name of the attribute on success and NULL on failure; if + * the call fails, errno will be set. The caller should not free the + * returned string. + */ + extern const char *poldiff_attrib_get_name(const poldiff_attrib_t * attrib); + +/** + * Get the form of difference from an attribute diff. + * + * @param attrib The attribute from which to get the difference form. + * + * @return The form of difference (one of POLDIFF_FORM_*) or + * POLDIFF_FORM_NONE on error. If the call fails, errno will be set. + */ + extern poldiff_form_e poldiff_attrib_get_form(const void *attrib); + +/** + * Get a vector of types added to the attribute. + * + * @param attrib The attribute diff from which to get the types + * vector. + * + * @return A vector of type names (type char *) that are members of + * the attribute in the modified policy. If no types were added the + * size of the returned vector will be 0. The caller must not + * destroy this vector. On error, errno will be set. + */ + extern const apol_vector_t *poldiff_attrib_get_added_types(const poldiff_attrib_t * attrib); + +/** + * Get a vector of types removed from the attribute. + * + * @param attrib The attribute diff from which to get the types + * vector. + * + * @return A vector of type names (type char *) that are members of + * the attribute in the original policy. If no types were removed + * the size of the returned vector will be 0. The caller must not + * destroy this vector. On error, errno will be set. + */ + extern const apol_vector_t *poldiff_attrib_get_removed_types(const poldiff_attrib_t * attrib); + +#ifdef __cplusplus +} +#endif + +#endif /* POLDIFF_ATTRIB_DIFF_H */ diff --git a/libpoldiff/include/poldiff/avrule_diff.h b/libpoldiff/include/poldiff/avrule_diff.h new file mode 100644 index 0000000..454bb9c --- /dev/null +++ b/libpoldiff/include/poldiff/avrule_diff.h @@ -0,0 +1,361 @@ +/** + * @file + * Public interface for computing semantic differences in av rules + * (allow, neverallow, auditallow, dontaudit). + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef POLDIFF_AVRULE_DIFF_H +#define POLDIFF_AVRULE_DIFF_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <apol/vector.h> +#include <poldiff/poldiff.h> + + typedef struct poldiff_avrule poldiff_avrule_t; + +/** + * Get an array of statistics for the number of differences of each + * form for all AV rules. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_avrule_get_stats_allow(const poldiff_t * diff, size_t stats[5]); + +/** + * Get an array of statistics for the number of differences of each + * form for AV auditallow rules. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_avrule_get_stats_auditallow(const poldiff_t * diff, size_t stats[5]); + +/** + * Get an array of statistics for the number of differences of each + * form for AV dontaudit rules. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_avrule_get_stats_dontaudit(const poldiff_t * diff, size_t stats[5]); + +/** + * Get an array of statistics for the number of differences of each + * form for AV neverallow rules. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_avrule_get_stats_neverallow(const poldiff_t * diff, size_t stats[5]); + +/** + * Get the vector of av rule differences from the av rule difference + * summary for just allow rules. + * + * @param diff The policy difference structure associated with the av + * rule difference summary. + * + * @return A vector of elements of type poldiff_avrule_t, or NULL on + * error. The caller should <b>not</b> destroy the vector returned. + * If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_avrule_vector_allow(const poldiff_t * diff); + +/** + * Get the vector of av rule differences from the av rule difference + * summary for just auditallow rules. + * + * @param diff The policy difference structure associated with the av + * rule difference summary. + * + * @return A vector of elements of type poldiff_avrule_t, or NULL on + * error. The caller should <b>not</b> destroy the vector returned. + * If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_avrule_vector_auditallow(const poldiff_t * diff); + +/** + * Get the vector of av rule differences from the av rule difference + * summary for just dontaudit rules. + * + * @param diff The policy difference structure associated with the av + * rule difference summary. + * + * @return A vector of elements of type poldiff_avrule_t, or NULL on + * error. The caller should <b>not</b> destroy the vector returned. + * If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_avrule_vector_dontaudit(const poldiff_t * diff); + +/** + * Get the vector of av rule differences from the av rule difference + * summary for just neverallow rules. + * + * @param diff The policy difference structure associated with the av + * rule difference summary. + * + * @return A vector of elements of type poldiff_avrule_t, or NULL on + * error. The caller should <b>not</b> destroy the vector returned. + * If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_avrule_vector_neverallow(const poldiff_t * diff); + +/** + * Obtain a newly allocated string representation of a difference in + * any av rule. + * + * @param diff The policy difference structure associated with the av + * rule. + * @param avrule The av rule from which to generate the string. + * + * @return A string representation of av rule difference; the caller + * is responsible for free()ing this string. On error, return NULL + * and set errno. + */ + extern char *poldiff_avrule_to_string(const poldiff_t * diff, const void *avrule); + +/** + * Get the form of difference from any av rule diff. + * + * @param avrule The av rule from which to get the difference form. + * + * @return The form of difference (one of POLDIFF_FORM_*) or + * POLDIFF_FORM_NONE on error. + */ + extern poldiff_form_e poldiff_avrule_get_form(const void *avrule); + +/** + * Get the type of rule this is from an av rule diff. + * + * @param avrule The av rule from which to get the rule type. + * + * @return One of QPOL_RULE_ALLOW etc, suitable for printing via + * apol_rule_type_to_str(). + */ + extern uint32_t poldiff_avrule_get_rule_type(const poldiff_avrule_t * avrule); + +/** + * Get the source type from an av rule diff. + * + * @param avrule The av rule from which to get the type. + * + * @return A string for the type. <b>Do not free() this string.</b> + */ + extern const char *poldiff_avrule_get_source_type(const poldiff_avrule_t * avrule); + +/** + * Get the target type from an av rule diff. + * + * @param avrule The av rule from which to get the type. + * + * @return A string for the type. <b>Do not free() this string.</b> + */ + extern const char *poldiff_avrule_get_target_type(const poldiff_avrule_t * avrule); + +/** + * Get the object class from an av rule diff. + * + * @param avrule The av rule from which to get the class. + * + * @return A string for the class. <b>Do not free() this string.</b> + */ + extern const char *poldiff_avrule_get_object_class(const poldiff_avrule_t * avrule); + +/** + * Get the conditional expression from an av rule diff. Note that + * this really returns a qpol_cond_t and an apol_policy_t, which may + * then be used in other routines such as apol_cond_expr_render(). + * + * @param diff Difference structure from which the rule originated. + * @param avrule The av rule from which to get the conditional. + * @param cond Reference to the rule's conditional pointer, or NULL + * if the rule is not conditional. The caller must not free() this + * pointer. + * @param which_list Reference to which list the rule belongs, either + * 1 if in the true branch, 0 if in false. If the rule is not + * conditional then this value will be set to 1. + * @param p Reference to the policy from which the conditional + * originated, or NULL if the rule is not conditional. The caller + * must not destroy this pointer. + */ + extern void poldiff_avrule_get_cond(const poldiff_t * diff, const poldiff_avrule_t * avrule, + const qpol_cond_t ** cond, uint32_t * which_list, const apol_policy_t ** p); + +/** + * Get a vector of permissions unmodified by the av rule. This + * vector will be non-empty only if the form is + * POLDIFF_FORM_MODIFIED. + * + * @param avrule The av rule diff from which to get the permissions + * vector. + * + * @return A vector of permissions strings (type char *) that both + * policies have. If no permissions are common to both policies then + * the size of of the returned vector will be 0. The caller must not + * destroy this vector. + */ + extern const apol_vector_t *poldiff_avrule_get_unmodified_perms(const poldiff_avrule_t * avrule); + +/** + * Get a vector of permissions added to the av rule. If the rule was + * added by modified policy then this vector will hold all of the + * permissions. + * + * @param avrule The av rule diff from which to get the permissions + * vector. + * + * @return A vector of permissions strings (type char *) added to the + * rule in the modified policy. If no permissions were added the + * size of the returned vector will be 0. The caller must not + * destroy this vector. + */ + extern const apol_vector_t *poldiff_avrule_get_added_perms(const poldiff_avrule_t * avrule); + +/** + * Get a vector of permissions removed from the av rule. If the rule + * was removed by modified policy then this vector will hold all of + * the permissions. + * + * @param avrule The av rule diff from which to get the permissions + * vector. + * + * @return A vector of permissions strings (type char *) removed from + * the rule in the original policy. If no permissions were removed + * the size of the returned vector will be 0. The caller must not + * destroy this vector. + */ + extern const apol_vector_t *poldiff_avrule_get_removed_perms(const poldiff_avrule_t * avrule); + +/** + * Get a vector of line numbers (of type unsigned long) for this av rule + * difference from the original policy. Note that if the form is + * POLDIFF_FORM_ADDED or POLDIFF_FORM_ADD_TYPE then this will return NULL. + * Also, if the original policy is a binary policy or line numbers are not yet + * enabled then this returns NULL. + * @see poldiff_enable_line_numbers() to enable line numbers. + * + * @param avrule The av rule diff from which to get line numbers. + * + * @return A vector of line numbers (type unsigned long) for the rule + * in the original policy, or NULL if no numbers are available. Do + * not destroy or otherwise modify this vector. + */ + extern const apol_vector_t *poldiff_avrule_get_orig_line_numbers(const poldiff_avrule_t * avrule); + +/** + * Get a vector of line numbers (of type unsigned long) for this av rule + * difference from the modified policy. Note that if the form is + * POLDIFF_FORM_REMOVED or POLDIFF_FORM_REMOVE_TYPE then this will return + * NULL. Also, if the modified policy is a binary policy or line numbers are + * not yet enabled then this returns NULL. + * @see poldiff_enable_line_numbers() to enable line numbers. + * + * @param avrule The av rule diff from which to get line numbers. + * + * @return A vector of line numbers (type unsigned long) for the rule + * in the modified policy, or NULL if no numbers are available. Do + * not destroy or otherwise modify this vector. + */ + extern const apol_vector_t *poldiff_avrule_get_mod_line_numbers(const poldiff_avrule_t * avrule); + +/** + * Given an av rule difference and a permission name, return a vector + * of all line numbers (of type unsigned long) from the original + * policy; these line numbers correspond to rules that contributed to + * the av rule difference and have the given permission. Be aware + * that the vector could be empty if the permission was not found. + * Note that if the form is POLDIFF_FORM_ADDED or + * POLDIFF_FORM_ADD_TYPE then this will return NULL. Also, if the + * original policy is a binary policy or line numbers are not yet + * enabled then this returns NULL. + * + * @see poldiff_enable_line_numbers() to enable line numbers. + * + * @param diff Difference object containing policies to query. + * @param avrule The av rule diff from which to get line numbers. + * @param perm Permission to look up. + * + * @return A vector of sorted line numbers (type unsigned long) for + * the rule in the original policy, or NULL if no numbers are + * available. Note that the vector could be empty if the permission + * was not found. It is the caller's responsibility to call + * apol_vector_destroy() upon the returned value. + */ + extern apol_vector_t *poldiff_avrule_get_orig_line_numbers_for_perm(const poldiff_t * diff, const poldiff_avrule_t * avrule, + const char *perm); + +/** + * Given an av rule difference and a permission name, return a vector + * of all line numbers (of type unsigned long) from the modified + * policy; these line numbers correspond to rules that contributed to + * the av rule difference and have the given permission. Be aware + * that the vector could be empty if the permission was not found. + * Note that if the form is POLDIFF_FORM_REMOVED or + * POLDIFF_FORM_REMOVE_TYPE then this will return NULL. Also, if the + * modified policy is a binary policy or line numbers are not yet + * enabled then this returns NULL. + * + * @see poldiff_enable_line_numbers() to enable line numbers. + * + * @param diff Difference object containing policies to query. + * @param avrule The av rule diff from which to get line numbers. + * @param perm Permission to look up. + * + * @return A vector of sorted line numbers (type unsigned long) for + * the rule in the modified policy, or NULL if no numbers are + * available. Note that the vector could be empty if the permission + * was not found. It is the caller's responsibility to call + * apol_vector_destroy() upon the returned value. + */ + extern apol_vector_t *poldiff_avrule_get_mod_line_numbers_for_perm(const poldiff_t * diff, const poldiff_avrule_t * avrule, + const char *perm); + +#ifdef __cplusplus +} +#endif + +#endif /* POLDIFF_AVRULE_DIFF_H */ diff --git a/libpoldiff/include/poldiff/bool_diff.h b/libpoldiff/include/poldiff/bool_diff.h new file mode 100644 index 0000000..e64d33c --- /dev/null +++ b/libpoldiff/include/poldiff/bool_diff.h @@ -0,0 +1,146 @@ +/** + * @file + * Public interface for computing semantic differences in booleans. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * @author Randy Wicks rwicks@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef POLDIFF_BOOL_DIFF_H +#define POLDIFF_BOOL_DIFF_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <apol/vector.h> +#include <poldiff/poldiff.h> + + typedef struct poldiff_bool poldiff_bool_t; + +/** + * Get an array of statistics for the number of differences of each + * form for bools. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is as + * follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * form POLDIFF_FORM_ADD_TYPE, and number of + * POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_bool_get_stats(const poldiff_t * diff, size_t stats[5]); + +/** + * Get the vector of bool differences from the boolean difference + * summary. + * + * @param diff The policy difference structure associated with the + * bool difference summary. + * + * @return A vector of elements of type poldiff_bool_t, or NULL on + * error. The caller should <b>not</b> destroy the vector + * returned. If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_bool_vector(const poldiff_t * diff); + +/** + * Obtain a newly allocated string representation of a difference in + * a bool. + * + * @param diff The policy difference structure associated with the bool. + * @param item The bool from which to generate the string. + * + * @return A string representation of bool difference; the caller is + * responsible for free()ing this string. On error, return NULL and + * set errno. + */ + extern char *poldiff_bool_to_string(const poldiff_t * diff, const void *boolean); + +/** + * Get the number of added bools from a policy difference + * structure. + * + * @param diff The policy difference structure from which to get the + * number of added bools. + * + * @return The number of added bools or 0 if not yet run. (The + * number of differences could also be zero.) + */ + extern size_t poldiff_get_num_added_bools(const poldiff_t * diff); + +/** + * Get the number of removed bools from a policy difference + * structure. + * + * @param diff The policy difference structure from which to get the + * number of removed bools. + * + * @return The number of removed bools or 0 if not yet run. (The + * number of differences could also be zero.) + */ + extern size_t poldiff_get_num_removed_bools(const poldiff_t * diff); + +/** + * Get the number of modified bools from a policy difference + * structure. + * + * @param diff The policy difference structure from which to get the + * number of modified bools. + * + * @return The number of modified bools or 0 if not yet run. (The + * number of differences could also be zero.) + */ + extern size_t poldiff_get_num_modified_bools(const poldiff_t * diff); + +/** + * Get the name of the bool from a bool diff. + * + * @param diff The policy difference structure associated with the + * bool diff. + * @param cls The bool from which to get the name. + * + * @return Name of the bool on success and NULL on failure; if the + * call fails, errno will be set. The caller should not free the + * returned string. + */ + extern const char *poldiff_bool_get_name(const poldiff_bool_t * boolean); + +/** + * Get the form of difference from a bool diff. + * + * @param diff The policy difference structure associated with the + * bool diff. + * + * @param cls The bool from which to get the difference form. + * + * @return The form of difference (one of POLDIFF_FORM_*) or + * POLDIFF_FORM_NONE on error. If the call fails, errno will be set. + */ + extern poldiff_form_e poldiff_bool_get_form(const void *boolean); + +#ifdef __cplusplus +} +#endif + +#endif /* POLDIFF_BOOL_DIFF_H */ diff --git a/libpoldiff/include/poldiff/cat_diff.h b/libpoldiff/include/poldiff/cat_diff.h new file mode 100644 index 0000000..c845639 --- /dev/null +++ b/libpoldiff/include/poldiff/cat_diff.h @@ -0,0 +1,103 @@ +/** + * @file + * Public interface for computing semantic differences in categories. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef POLDIFF_CAT_DIFF_H +#define POLDIFF_CAT_DIFF_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <apol/vector.h> +#include <poldiff/poldiff.h> + + typedef struct poldiff_cat poldiff_cat_t; + +/** + * Get an array of statistics for the number of differences of each + * form for categories. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_cat_get_stats(const poldiff_t * diff, size_t stats[5]); + +/** + * Get the vector of user differences from the category difference + * summary. + * + * @param diff The policy difference structure associated with the + * category difference summary. + * + * @return A vector of elements of type poldiff_cat_t, or NULL on + * error. The caller should <b>not</b> destroy the vector + * returned. If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_cat_vector(const poldiff_t * diff); + +/** + * Obtain a newly allocated string representation of a difference in + * a category. + * + * @param diff The policy difference structure associated with the category. + * @param cat The category from which to generate the string. + * + * @return A string representation of category difference; the caller is + * responsible for free()ing this string. On error, return NULL and + * set errno. + */ + extern char *poldiff_cat_to_string(const poldiff_t * diff, const void *cat); + +/** + * Get the name of the category from a category diff. + * + * @param cat The category from which to get the name. + * + * @return Name of the category on success and NULL on failure; if the + * call fails, errno will be set. The caller should not free the + * returned string. + */ + extern const char *poldiff_cat_get_name(const poldiff_cat_t * cat); + +/** + * Get the form of difference from a category diff. + * + * @param cat The category from which to get the difference form. + * + * @return The form of difference (one of POLDIFF_FORM_*) or + * POLDIFF_FORM_NONE on error. If the call fails, errno will be set. + */ + extern poldiff_form_e poldiff_cat_get_form(const void *cat); + +#ifdef __cplusplus +} +#endif + +#endif /* POLDIFF_CAT_DIFF_H */ diff --git a/libpoldiff/include/poldiff/class_diff.h b/libpoldiff/include/poldiff/class_diff.h new file mode 100644 index 0000000..0d89924 --- /dev/null +++ b/libpoldiff/include/poldiff/class_diff.h @@ -0,0 +1,222 @@ +/** + * @file + * Public interface for computing semantic differences in classes + * and commons. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef POLDIFF_CLASS_DIFF_H +#define POLDIFF_CLASS_DIFF_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <apol/vector.h> +#include <poldiff/poldiff.h> + +/******************** object classes ********************/ + + typedef struct poldiff_class poldiff_class_t; + +/** + * Get an array of statistics for the number of differences of each + * form for object classes. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_class_get_stats(const poldiff_t * diff, size_t stats[5]); + +/** + * Get the vector of class differences from the class difference + * summary. + * + * @param diff The policy difference structure associated with the + * class difference summary. + * + * @return A vector of elements of type poldiff_class_t, or NULL on + * error. The caller should <b>not</b> destroy the vector + * returned. If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_class_vector(const poldiff_t * diff); + +/** + * Obtain a newly allocated string representation of a difference in + * an object class. + * + * @param diff The policy difference structure associated with the class. + * @param cls The class from which to generate the string. + * + * @return A string representation of class difference; the caller is + * responsible for free()ing this string. On error, return NULL and + * set errno. + */ + extern char *poldiff_class_to_string(const poldiff_t * diff, const void *cls); + +/** + * Get the name of the class from a class diff. + * + * @param cls The class from which to get the name. + * + * @return Name of the class on success and NULL on failure; if the + * call fails, errno will be set. The caller should not free the + * returned string. + */ + extern const char *poldiff_class_get_name(const poldiff_class_t * cls); + +/** + * Get the form of difference from a class diff. + * + * @param cls The class from which to get the difference form. + * + * @return The form of difference (one of POLDIFF_FORM_*) or + * POLDIFF_FORM_NONE on error. If the call fails, errno will be set. + */ + extern poldiff_form_e poldiff_class_get_form(const void *cls); + +/** + * Get a vector of permissions added to the class. + * + * @param cls The class diff from which to get the permission vector. + * + * @return A vector of permission names (type char *) that are + * assigned to the class in the modified policy. If no permissions + * were added the size of the returned vector will be 0. The caller + * must not destroy this vector. On error, errno will be set. + */ + extern const apol_vector_t *poldiff_class_get_added_perms(const poldiff_class_t * cls); + +/** + * Get a vector of permissions removed from the class. + * + * @param cls The class diff from which to get the permission vector. + * + * @return A vector of permission names (type char *) that are + * assigned to the class in the original policy. If no permissions + * were removed the size of the returned vector will be 0. The + * caller must not destroy this vector. On error, errno will be set. + */ + extern const apol_vector_t *poldiff_class_get_removed_perms(const poldiff_class_t * cls); + +/******************** common classes ********************/ + + typedef struct poldiff_common poldiff_common_t; + +/** + * Get an array of statistics for the number of differences of each + * form for common classes. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_common_get_stats(const poldiff_t * diff, size_t stats[5]); + +/** + * Get the vector of commons differences from the commons difference + * summary. + * + * @param diff The policy difference structure associated with the + * commons difference summary. + * + * @return A vector of elements of type poldiff_common_t, or NULL on + * error. The caller should <b>not</b> destroy the vector + * returned. If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_common_vector(const poldiff_t * diff); + +/** + * Obtain a newly allocated string representation of a difference in + * a common class. + * + * @param diff The policy difference structure associated with the + * common. + * @param common The common from which to generate the string. + * + * @return A string representation of common difference; the caller + * is responsible for free()ing this string. On error, return NULL + * and set errno. + */ + extern char *poldiff_common_to_string(const poldiff_t * diff, const void *common); + +/** + * Get the name of the common from a common diff. + * + * @param common The common from which to get the name. + * + * @return Name of the common on success and NULL on failure; if the + * call fails, errno will be set. The caller should not free the + * returned string. + */ + extern const char *poldiff_common_get_name(const poldiff_common_t * common); + +/** + * Get the form of difference from a common diff. + * + * @param common The common from which to get the difference form. + * + * @return The form of difference (one of POLDIFF_FORM_*) or + * POLDIFF_FORM_NONE on error. If the call fails, errno will be set. + */ + extern poldiff_form_e poldiff_common_get_form(const void *common); + +/** + * Get a vector of permissions added to the common. + * + * @param common The common diff from which to get the permission + * vector. + * + * @return A vector of permission names (type char *) that are + * assigned to the common in the modified policy. If no permissions + * were added the size of the returned vector will be 0. The caller + * must not destroy this vector. On error, errno will be set. + */ + extern const apol_vector_t *poldiff_common_get_added_perms(const poldiff_common_t * common); + +/** + * Get a vector of permissions removed from the common. + * + * @param common The common diff from which to get the permission + * vector. + * + * @return A vector of permission names (type char *) that are + * assigned to the common in the original policy. If no permissions + * were removed the size of the returned vector will be 0. The + * caller must not destroy this vector. On error, errno will be set. + */ + extern const apol_vector_t *poldiff_common_get_removed_perms(const poldiff_common_t * common); + +#ifdef __cplusplus +} +#endif + +#endif /* POLDIFF_CLASS_DIFF_H */ diff --git a/libpoldiff/include/poldiff/component_record.h b/libpoldiff/include/poldiff/component_record.h new file mode 100644 index 0000000..0104845 --- /dev/null +++ b/libpoldiff/include/poldiff/component_record.h @@ -0,0 +1,159 @@ +/** + * @file + * Typedefs to aid declaring function pointers for callbacks + * extracted from component records. + * + * This file also declares functions to extract the callbacks for + * component records. This implements a form of polymorphism so that + * one can operate on component records and not care about the + * library dependent implementation. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * @author Mark Goldman mgoldman@tresys.com + * + * Copyright (C) 2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef POLDIFF_COMPONENT_RECORD_H +#define POLDIFF_COMPONENT_RECORD_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +/** + * Callback function signature for getting an array of statistics for the + * number of differences of each form for a given item. + * @param diff The policy difference structure from which to get the stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is as follows: + * number of items of form POLDIFF_FORM_ADDED, number of POLDIFF_FORM_REMOVED, + * number of POLDIFF_FORM_MODIFIED, number of form POLDIFF_FORM_ADD_TYPE, and + * number of POLDIFF_FORM_REMOVE_TYPE. + */ + typedef void (*poldiff_get_item_stats_fn_t) (const poldiff_t * diff, size_t stats[5]); + +/** + * Callback function signature for getting a vector of all result + * items that were created during a call to poldiff_do_item_diff(). + * @param diff Policy diff structure containing results. + * @return A vector of result items, which the caller may not modify + * or destroy. Upon error, return null and set errno. + */ + typedef const apol_vector_t *(*poldiff_get_result_items_fn_t) (const poldiff_t * diff); + +/** + * Callback function signature for getting the form of difference for + * a result item. + * @param diff The policy difference structure associated with the item. + * @param item The item from which to get the form. + * @return One of the POLDIFF_FORM_* enumeration. + */ + typedef poldiff_form_e(*poldiff_item_get_form_fn_t) (const void *item); + +/** + * Callback function signature for obtaining a newly allocated string + * representation of a difference item. + * @param diff The policy difference structure associated with the item. + * @param item The item from which to generate the string. + * @return Expected return value from this function is a newly allocated + * string representation of the item or null on error; if the call fails, + * it is expected to set errno. + */ + typedef char *(*poldiff_item_to_string_fn_t) (const poldiff_t * diff, const void *item); + + typedef struct poldiff_component_record poldiff_component_record_t; + +/** + * Get the poldiff_component_record_t for a particular policy + * component. Consult this record for function pointers, so as to + * achieve a limited form of polymorphism. + * + * @param which Flag (as defined in <poldiff/poldiff.h>) indicating + * which component to look up. + * @return A poldiff_component_record_t associated with the component + * or NULL if not found. + */ + extern const poldiff_component_record_t *poldiff_get_component_record(uint32_t which); + +/** + * Get the function that will return the form from a + * poldiff_component_record_t. + * + * @param comp Pointer to the component to extract the named virtual + * function. + * + * @return Function pointer relating to the passed in record key, or + * NULL upon error. + */ + extern poldiff_item_get_form_fn_t poldiff_component_record_get_form_fn(const poldiff_component_record_t * comp); + +/** + * Get the function that will return the to_string from a + * poldiff_component_record_t. + * + * @param diff Pointer to the component to extract the named virtual + * function. + * + * @return Function pointer relating to the passed in record key, or + * NULL upon error. + */ + extern poldiff_item_to_string_fn_t poldiff_component_record_get_to_string_fn(const poldiff_component_record_t * diff); + +/** + * Get the function that will return the item_stats from a + * poldiff_component_record_t. + * + * @param diff Pointer to the component to extract the named virtual + * function. + * + * @return Function pointer relating to the passed in record key, or + * NULL upon error. + */ + extern poldiff_get_item_stats_fn_t poldiff_component_record_get_stats_fn(const poldiff_component_record_t * diff); + +/** + * Get the function that will return the results from a + * poldiff_component_record_t. + * + * @param diff Pointer to the component to extract the named virtual + * function. + * + * @return Function pointer relating to the passed in record key, or + * NULL upon error. + */ + extern poldiff_get_result_items_fn_t poldiff_component_record_get_results_fn(const poldiff_component_record_t * diff); + +/** + * Get the function that will return the label from a + * poldiff_component_record_t. This label describes the policy + * component (e.g., "attribute" or "AVrule dontaudit"). + * + * @param diff Pointer to the component to extract named the label. + * + * @return Label describing the policy component record. Do not + * modify this string. + */ + extern const char *poldiff_component_record_get_label(const poldiff_component_record_t * diff); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/libpoldiff/include/poldiff/level_diff.h b/libpoldiff/include/poldiff/level_diff.h new file mode 100644 index 0000000..e9eba23 --- /dev/null +++ b/libpoldiff/include/poldiff/level_diff.h @@ -0,0 +1,159 @@ +/** + * @file + * Public interface for computing semantic differences in levels. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef POLDIFF_LEVEL_DIFF_H +#define POLDIFF_LEVEL_DIFF_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <apol/vector.h> +#include <poldiff/poldiff.h> + + typedef struct poldiff_level poldiff_level_t; + +/** + * Get an array of statistics for the number of differences of each + * form for levels. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_level_get_stats(const poldiff_t * diff, size_t stats[5]); + +/** + * Get the vector of level differences from the level difference + * summary. + * + * @param diff The policy difference structure associated with the + * level difference summary. + * + * @return A vector of elements of type poldiff_level_t, or NULL on + * error. The caller should <b>not</b> destroy the vector + * returned. If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_level_vector(const poldiff_t * diff); + +/** + * Obtain a newly allocated string representation of a difference in + * a level. + * + * @param diff The policy difference structure associated with the level. + * @param level The level from which to generate the string. + * + * @return A string representation of level difference; the caller is + * responsible for free()ing this string. On error, return NULL and + * set errno. + */ + extern char *poldiff_level_to_string(const poldiff_t * diff, const void *level); + +/** + * Allocate and return a string rendering of a poldiff_level_t, + * suitable for embedding within some other component's to_string + * function (e.g., a user's default level). + * + * @param diff Poldiff object, for error handling. + * @param level Level diff object to render. + * + * @return String rendering of level, or NULL upon error. Caller must + * free() string afterwards. + */ + char *poldiff_level_to_string_brief(const poldiff_t * diff, const poldiff_level_t * level); + +/** + * Get the name of the level (i.e., the sensitivity) from a level diff. + * + * @param level The level from which to get the name. + * + * @return Name of the level on success and NULL on failure; if the + * call fails, errno will be set. The caller should not free the + * returned string. + */ + extern const char *poldiff_level_get_name(const poldiff_level_t * level); + +/** + * Get the form of difference from a level diff. + * + * @param level The level from which to get the difference form. + * + * @return The form of difference (one of POLDIFF_FORM_*) or + * POLDIFF_FORM_NONE on error. If the call fails, errno will be set. + */ + extern poldiff_form_e poldiff_level_get_form(const void *level); + +/** + * Get a vector of unmodified categories from the level. These will + * be sorted in the same order as given by the original policy. + * + * @param level The level diff from which to get the category vector. + * + * @return A vector of category names (type char *) that are assigned to + * the level in the original policy. If no categories were removed the + * size of the returned vector will be 0. The caller must not + * destroy this vector. On error, errno will be set. + */ + extern const apol_vector_t *poldiff_level_get_unmodified_cats(const poldiff_level_t * level); + +/** + * Get a vector of categories added to the level. These will be + * sorted in the same order as given by the modified policy. If the + * level was added by the modified policy then this vector will hold + * all of the categories. + * + * @param level The level diff from which to get the categories. + * + * @return A vector of category names (type char *) that are assigned + * to the level in the modified policy. If no categories were added + * the size of the returned vector will be 0. The caller must not + * modify this vector. On error, errno will be set. + */ + extern const apol_vector_t *poldiff_level_get_added_cats(const poldiff_level_t * level); + +/** + * Get a vector of categories removed from the level. These will be + * sorted in the same order as given by the original policy. If the + * level was removed by the modified policy then this vector will + * hold all of the categories. + * + * @param level The level diff from which to get the category vector. + * + * @return A vector of category names (type char *) that are assigned to + * the level in the original policy. If no categories were removed the + * size of the returned vector will be 0. The caller must not + * destroy this vector. On error, errno will be set. + */ + extern const apol_vector_t *poldiff_level_get_removed_cats(const poldiff_level_t * level); + +#ifdef __cplusplus +} +#endif + +#endif /* POLDIFF_LEVEL_DIFF_H */ diff --git a/libpoldiff/include/poldiff/poldiff.h b/libpoldiff/include/poldiff/poldiff.h new file mode 100644 index 0000000..9047600 --- /dev/null +++ b/libpoldiff/include/poldiff/poldiff.h @@ -0,0 +1,218 @@ +/** + * @file + * Public interface for computing semantic policy differences + * between two policies. The user loads two policies, the "original" + * and "modified" policies, and then calls poldiff_create() to obtain + * a poldiff object. Next call poldiff_run() to actually execute the + * differencing algorithm. Results are retrieved via + * poldiff_get_type_vector(), poldiff_get_avrule_vector(), and so + * forth. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef POLDIFF_POLDIFF_H +#define POLDIFF_POLDIFF_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <apol/policy.h> +#include <apol/policy-query.h> +#include <apol/vector.h> +#include <stdarg.h> +#include <stdint.h> + + typedef struct poldiff poldiff_t; + +/** + * Form of a difference. This enumeration describes the kind of change + * in a policy component or rule from policy1 to policy2. + * Differences can be additions (item present only in policy2), + * removals (item present only in policy1) or a modification + * (item present in both policies with different semantic meaning). + * For rules there are two more options - added or removed due to a + * type being added or removed; these forms differentiate these cases + * from those of added/removed rules where the types exist in both policies. + */ + typedef enum poldiff_form + { + /** only for error conditions */ + POLDIFF_FORM_NONE, + /** item was added - only in policy 2 */ + POLDIFF_FORM_ADDED, + /** item was removed - only in policy 1 */ + POLDIFF_FORM_REMOVED, + /** item was modified - in both policies but with different meaning */ + POLDIFF_FORM_MODIFIED, + /** item was added due to an added type - for rules only */ + POLDIFF_FORM_ADD_TYPE, + /** item was removed due to a removed type - for rules only */ + POLDIFF_FORM_REMOVE_TYPE + } poldiff_form_e; + + typedef void (*poldiff_handle_fn_t) (void *arg, const poldiff_t * diff, int level, const char *fmt, va_list va_args); + +#include <poldiff/attrib_diff.h> +#include <poldiff/avrule_diff.h> +#include <poldiff/cat_diff.h> +#include <poldiff/bool_diff.h> +#include <poldiff/class_diff.h> +#include <poldiff/level_diff.h> +#include <poldiff/range_diff.h> +#include <poldiff/range_trans_diff.h> +#include <poldiff/rbac_diff.h> +#include <poldiff/role_diff.h> +#include <poldiff/terule_diff.h> +#include <poldiff/type_diff.h> +#include <poldiff/user_diff.h> +#include <poldiff/type_map.h> +#include <poldiff/util.h> + +/* NOTE: while defined OCONS are not currently supported */ +#define POLDIFF_DIFF_CLASSES 0x00000001U +#define POLDIFF_DIFF_COMMONS 0x00000002U +#define POLDIFF_DIFF_TYPES 0x00000004U +#define POLDIFF_DIFF_ATTRIBS 0x00000008U +#define POLDIFF_DIFF_ROLES 0x00000010U +#define POLDIFF_DIFF_USERS 0x00000020U +#define POLDIFF_DIFF_BOOLS 0x00000040U +#define POLDIFF_DIFF_LEVELS 0x00000080U +#define POLDIFF_DIFF_CATS 0x00000100U +#define POLDIFF_DIFF_ROLE_ALLOWS 0x00000800U +#define POLDIFF_DIFF_ROLE_TRANS 0x00001000U +#define POLDIFF_DIFF_RANGE_TRANS 0x00002000U +#define POLDIFF_DIFF_AVALLOW 0x10000000U +#define POLDIFF_DIFF_AVAUDITALLOW 0x20000000U +#define POLDIFF_DIFF_AVDONTAUDIT 0x40000000U +#define POLDIFF_DIFF_AVNEVERALLOW 0x80000000U +#define POLDIFF_DIFF_TECHANGE 0x01000000U +#define POLDIFF_DIFF_TEMEMBER 0x02000000U +#define POLDIFF_DIFF_TETRANS 0x04000000U + +#define POLDIFF_DIFF_TERULES_COMPAT 0x00000400U /**< deprecated */ +#define POLDIFF_DIFF_AVRULES_COMPAT 0x00000200U /**< deprecated */ + +#define POLDIFF_DIFF_AVRULES (POLDIFF_DIFF_AVALLOW | POLDIFF_DIFF_AVNEVERALLOW | POLDIFF_DIFF_AVAUDITALLOW | POLDIFF_DIFF_AVDONTAUDIT) +#define POLDIFF_DIFF_TERULES (POLDIFF_DIFF_TEMEMBER | POLDIFF_DIFF_TECHANGE | POLDIFF_DIFF_TETRANS) +/* + * Add ocons here and modify POLDIFF_DIFF_OCONS below + * #define POLDIFF_DIFF_ * + */ +#define POLDIFF_DIFF_SYMBOLS (POLDIFF_DIFF_CLASSES|POLDIFF_DIFF_COMMONS|POLDIFF_DIFF_TYPES|POLDIFF_DIFF_ATTRIBS|POLDIFF_DIFF_ROLES|POLDIFF_DIFF_USERS|POLDIFF_DIFF_BOOLS) +#define POLDIFF_DIFF_RULES (POLDIFF_DIFF_AVRULES|POLDIFF_DIFF_TERULES|POLDIFF_DIFF_ROLE_ALLOWS|POLDIFF_DIFF_ROLE_TRANS) +#define POLDIFF_DIFF_RBAC (POLDIFF_DIFF_ROLES|POLDIFF_DIFF_ROLE_ALLOWS|POLDIFF_DIFF_ROLE_TRANS) +#define POLDIFF_DIFF_MLS (POLDIFF_DIFF_LEVELS|POLDIFF_DIFF_CATS|POLDIFF_DIFF_RANGE_TRANS) +#define POLDIFF_DIFF_OCONS 0 +#define POLDIFF_DIFF_REMAPPED (POLDIFF_DIFF_TYPES|POLDIFF_DIFF_ATTRIBS|POLDIFF_DIFF_AVRULES|POLDIFF_DIFF_TERULES|POLDIFF_DIFF_ROLES|POLDIFF_DIFF_ROLE_TRANS|POLDIFF_DIFF_RANGE_TRANS|POLDIFF_DIFF_OCONS) +#define POLDIFF_DIFF_ALL (POLDIFF_DIFF_SYMBOLS|POLDIFF_DIFF_RULES|POLDIFF_DIFF_MLS|POLDIFF_DIFF_OCONS) + +/** + * Allocate and initialize a new policy difference structure. This + * function takes ownership of the supplied policies and will handle + * their destruction upon poldiff_destroy(). The poldiff object will + * be responsible for rebuilding the policy (such as if neverallows + * are requested). It is still safe to access elements within the + * policies, but avoid making changes to the policy while the poldiff + * object still exists. + * @param orig_policy The original policy. + * @param mod_policy The new (modified) policy. + * @param fn Function to be called by the error handler. If NULL + * then write messages to standard error. + * @param callback_arg Argument for the callback. + * @return a newly allocated and initialized difference structure or + * NULL on error; if the call fails, errno will be set. + * The caller is responsible for calling poldiff_destroy() to free + * memory used by this structure. + */ + extern poldiff_t *poldiff_create(apol_policy_t * orig_policy, + apol_policy_t * mod_policy, poldiff_handle_fn_t fn, void *callback_arg); + +/** + * Free all memory used by a policy difference structure and set it to NULL. + * @param diff Reference pointer to the difference structure to destroy. + * This pointer will be set to NULL. (If already NULL, function is a no-op.) + */ + extern void poldiff_destroy(poldiff_t ** diff); + +/** + * Run the difference algorithm for the selected policy components/rules. + * @param diff The policy difference structure for which to compute + * the differences. + * @param flags Bit-wise or'd set of POLDIFF_DIFF_* from above indicating + * the components and rules for which to compute the difference. + * If an item has already been computed the flag for that item is ignored. + * @return 0 on success or < 0 on error; if the call fails, errno will + * be set and the only defined operation on the difference structure is + * poldiff_destroy(). + */ + extern int poldiff_run(poldiff_t * diff, uint32_t flags); + +/** + * Determine if a particular policy component/rule diff was actually + * run yet or not. + * @param diff The policy difference structure for which to compute + * the differences. + * @param flags Bit-wise or'd set of POLDIFF_DIFF_* from above indicating + * which components/rules diffs were run. + * @return 1 if all indicated diffs were run, 0 if any were not, < 0 + * on error. + */ + extern int poldiff_is_run(const poldiff_t * diff, uint32_t flags); + +/** + * Get a total of the differences of each form for a given item (or set + * of items). + * @param diff The policy difference structure from which to get the stats. + * @param flags Bit-wise or'd set of POLDIFF_DIFF_* from above indicating + * the items for which to get the total differences. If more that one bit + * is set differences of the same form are totaled for all specified items. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is as follows: + * number of items of form POLDIFF_FORM_ADDED, number of POLDIFF_FORM_REMOVED, + * number of POLDIFF_FORM_MODIFIED, number of form POLDIFF_FORM_ADD_TYPE, and + * number of POLDIFF_FORM_REMOVE_TYPE. + * @return 0 on success and < 0 on error; if the call fails, errno will be set. + */ + extern int poldiff_get_stats(const poldiff_t * diff, uint32_t flags, size_t stats[5]); + +/** + * Enable line numbers for all rule differences. If not called, line + * numbers will not be available when displaying differences. This + * function is safe to call multiple times and will have no effect + * after the first time. It also has no effect if one policy (or + * both of them) does not support line numbers. Be aware that line + * numbers will need to be re-enabled each time poldiff_run() is + * called. + * + * @param diff The policy difference structure. + * + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and the difference structure should be destroyed. + */ + extern int poldiff_enable_line_numbers(poldiff_t * diff); + +#ifdef __cplusplus +} +#endif + +#endif /* POLDIFF_POLDIFF_H */ diff --git a/libpoldiff/include/poldiff/range_diff.h b/libpoldiff/include/poldiff/range_diff.h new file mode 100644 index 0000000..fcdd846 --- /dev/null +++ b/libpoldiff/include/poldiff/range_diff.h @@ -0,0 +1,129 @@ +/** + * @file + * Public interface for returning the differences in MLS ranges. + * Obtain a range difference object from its respective policy + * component (e.g., a user's assigned range). The individual level + * difference querying functions are in the level_diff.h header. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef POLDIFF_RANGE_DIFF_H +#define POLDIFF_RANGE_DIFF_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <apol/mls-query.h> +#include <apol/vector.h> +#include <poldiff/poldiff.h> + + typedef struct poldiff_range poldiff_range_t; + +/** + * Allocate and return a string that represents the differences + * encoded by the given range. The returned string is suitable for + * embedding within another item's to_string() display. + * + * @param diff Poldiff diff structure containing policies. + * @param range Range object to render. + * + * @return Rendered string, or NULL upon error. Caller must free() + * string afterwards. + */ + char *poldiff_range_to_string_brief(const poldiff_t * diff, const poldiff_range_t * range); + +/** + * Get the vector of level differences from a range diffence object. + * + * @param range Range object to query. + * + * @return A vector of elements of type poldiff_level_t, or NULL on + * error. The caller should <b>not</b> modify the returned vector. + */ + extern apol_vector_t *poldiff_range_get_levels(const poldiff_range_t * range); + +/** + * Get the original item's range. This could represent a user's + * original assigned range or the original target range for a + * range_transition. If there was no original range (such as for + * items that are added) then this returns NULL. + * + * @param range Range object to query. + * + * @return Original range, or NULL upon error or no range available. + * The caller should <b>not</b> modify the returned object. + */ + extern const apol_mls_range_t *poldiff_range_get_original_range(const poldiff_range_t * range); + +/** + * Get the modified item's range. This could represent a user's + * modified assigned range or the modified target range for a + * range_transition. If there was no original range (such as for + * items that are removed) then this returns NULL. + * + * @param range Range object to query. + * + * @return Modified range, or NULL upon error or no range available. + * The caller should <b>not</b> modify the returned object. + */ + extern const apol_mls_range_t *poldiff_range_get_modified_range(const poldiff_range_t * range); + +/** + * Get the vector of categories added to the minimum set from a range + * diffence object. + * + * @param range Range object to query. + * + * @return A vector of elements of type string, or NULL on + * error. The caller should <b>not</b> modify the returned vector. + */ + + extern apol_vector_t *poldiff_range_get_min_added_cats(const poldiff_range_t * range); + +/** + * Get the vector of categories removed from the minimum set from a + * range diffence object. + * + * @param range Range object to query. + * + * @return A vector of elements of type string, or NULL on + * error. The caller should <b>not</b> modify the returned vector. + */ + extern apol_vector_t *poldiff_range_get_min_removed_cats(const poldiff_range_t * range); + +/** + * Get the vector of unmodified categories of the minimum set from a + * range diffence object. + * + * @param range Range object to query. + * + * @return A vector of elements of type string, or NULL on + * error. The caller should <b>not</b> modify the returned vector. + */ + extern apol_vector_t *poldiff_range_get_min_unmodified_cats(const poldiff_range_t * range); + +#ifdef __cplusplus +} +#endif + +#endif /* POLDIFF_RANGE_DIFF_H */ diff --git a/libpoldiff/include/poldiff/range_trans_diff.h b/libpoldiff/include/poldiff/range_trans_diff.h new file mode 100644 index 0000000..ee6dc5b --- /dev/null +++ b/libpoldiff/include/poldiff/range_trans_diff.h @@ -0,0 +1,140 @@ +/** + * @file + * Public interface for computing semantic differences in range + * transition rules. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef POLDIFF_RANGETRANS_DIFF_H +#define POLDIFF_RANGETRANS_DIFF_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <apol/mls-query.h> +#include <apol/vector.h> +#include <poldiff/poldiff.h> + + typedef struct poldiff_range_trans poldiff_range_trans_t; + +/** + * Get an array of statistics for the number of differences of each + * form for range transition rules. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_range_trans_get_stats(const poldiff_t * diff, size_t stats[5]); + +/** + * Get the vector of range transition differences from the policy + * difference structure. + * + * @param diff The policy difference structure from which to get the + * differences. + * + * @return A vector of elements of type poldiff_range_trans_t, or + * NULL on error. The caller should <b>not</b> destroy the vector + * returned. If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_range_trans_vector(const poldiff_t * diff); + +/** + * Obtain a newly allocated string representation of a difference in + * a range transition rule. + * + * @param diff The policy difference structure associated with the rule. + * @param range_trans The range transition diff from which to + * generate the string. + * + * @return A string representation of the rule difference; the caller is + * responsible for free()ing this string. On error, return NULL and + * set errno. + */ + extern char *poldiff_range_trans_to_string(const poldiff_t * diff, const void *range_trans); + +/** + * Get the name of the source type from a range transition diff. + * + * @param range_trans The rule from which to get the source type. + * + * @return Name of the source type on success and NULL on failure; if the + * call fails, errno will be set. The caller should not free the + * returned string. + */ + extern const char *poldiff_range_trans_get_source_type(const poldiff_range_trans_t * range_trans); + +/** + * Get the name of the target type from a range transition diff. + * + * @param range_trans The rule from which to get the target type. + * + * @return Name of the target type on success and NULL on failure; if + * the call fails, errno will be set. The caller should not free the + * returned string. + */ + extern const char *poldiff_range_trans_get_target_type(const poldiff_range_trans_t * range_trans); + +/** + * Get the name of the target object class from a range transition + * diff. + * + * @param range_trans The rule from which to get the target class. + * + * @return Name of the target class on success and NULL on failure; + * if the call fails, errno will be set. The caller should not free + * the returned string. + */ + extern const char *poldiff_range_trans_get_target_class(const poldiff_range_trans_t * range_trans); + +/** + * Get the change in target range from a range transition diff. + * + * @param range_trans The rule from which to get the target range. + * + * @return Rule's target range on success, or NULL upon error or if + * there is no difference in range. Do not modify the returned value. + */ + extern const poldiff_range_t *poldiff_range_trans_get_range(const poldiff_range_trans_t * range_trans); + +/** + * Get the form of difference from a range transition diff. + * + * @param range_trans The range transition rule from which to get the + * difference form. + * + * @return The form of difference (one of POLDIFF_FORM_*) or + * POLDIFF_FORM_NONE on error. If the call fails, errno will be set. + */ + extern poldiff_form_e poldiff_range_trans_get_form(const void *range_trans); + +#ifdef __cplusplus +} +#endif + +#endif /* POLDIFF_RANGETRANS_DIFF_H */ diff --git a/libpoldiff/include/poldiff/rbac_diff.h b/libpoldiff/include/poldiff/rbac_diff.h new file mode 100644 index 0000000..200beb3 --- /dev/null +++ b/libpoldiff/include/poldiff/rbac_diff.h @@ -0,0 +1,251 @@ +/** + * @file + * Public interface for computing semantic differences in role + * allow rules and role_transition rules. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef POLDIFF_RBAC_DIFF_H +#define POLDIFF_RBAC_DIFF_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <apol/vector.h> +#include <poldiff/poldiff.h> + + typedef struct poldiff_role_allow poldiff_role_allow_t; + typedef struct poldiff_role_trans poldiff_role_trans_t; + +/** + * Get an array of statistics for the number of differences of each + * form for role allow rules. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_role_allow_get_stats(const poldiff_t * diff, size_t stats[5]); + +/** + * Get the vector of role allow differences from the policy difference + * structure. + * + * @param diff The policy difference structure from which to get the + * differences. + * + * @return A vector of elements of type poldiff_role_allow_t, or NULL on + * error. The caller should <b>not</b> destroy the vector + * returned. If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_role_allow_vector(const poldiff_t * diff); + +/** + * Obtain a newly allocated string representation of a difference in + * a role allow rule. + * + * @param diff The policy difference structure associated with the rule. + * @param role_allow The role from which to generate the string. + * + * @return A string representation of the rule difference; the caller is + * responsible for free()ing this string. On error, return NULL and + * set errno. + */ + extern char *poldiff_role_allow_to_string(const poldiff_t * diff, const void *role_allow); + +/** + * Get the name of the source role from a role allow diff. + * + * @param role_allow The rule allow from which to get the source role name. + * + * @return Name of the source role on success and NULL on failure; if the + * call fails, errno will be set. The caller should not free the + * returned string. + */ + extern const char *poldiff_role_allow_get_name(const poldiff_role_allow_t * role_allow); + +/** + * Get the form of difference from a role allow diff. + * + * @param role_allow The role allow rule from which to get the difference form. + * + * @return The form of difference (one of POLDIFF_FORM_*) or + * POLDIFF_FORM_NONE on error. If the call fails, errno will be set. + */ + extern poldiff_form_e poldiff_role_allow_get_form(const void *role_allow); + +/** + * Get a vector of roles unmodified by the role allow rule. The + * vector will be non-empty only if the form is + * POLDIFF_FORM_MODIFIED. + * + * @param role_allow The role allow diff from which to get the roles + * vector. + * + * @return A vector of role names (type char *) that are in both + * policies. If no roles are common to both policies then the size + * of the returned vector will be 0. The caller must not destroy + * this vector. The caller must not destroy this vector. + */ + extern const apol_vector_t *poldiff_role_allow_get_unmodified_roles(const poldiff_role_allow_t * role_allow); + +/** + * Get a vector of roles added to the role allow rule. If the role + * allow was added by the modified policy then this vector will hold + * all of the roles. + * + * @param role_allow The role allow diff from which to get the roles + * vector. + * + * @return A vector of role names (type char *) that are allowed to + * the role in the modified policy. If no roles were added the size + * of the returned vector will be 0. The caller must not destroy + * this vector. + */ + extern const apol_vector_t *poldiff_role_allow_get_added_roles(const poldiff_role_allow_t * role_allow); + +/** + * Get a vector of roles removed from the role allow rule. If the + * role allow was removed by the modified policy then this vector + * will hold all of the roles. + * + * @param role_allow The role allow diff from which to get the roles + * vector. + * + * @return A vector of role names (type char *) that are allowed to + * the role in the original policy. If no roles were removed the + * size of the returned vector will be 0. The caller must not + * destroy this vector. + */ + extern const apol_vector_t *poldiff_role_allow_get_removed_roles(const poldiff_role_allow_t * role_allow); + +/** + * Get an array of statistics for the number of differences of each + * form for role_transition rules. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_role_trans_get_stats(const poldiff_t * diff, size_t stats[5]); + +/** + * Get the vector of role_transition differences from the policy difference + * structure. + * + * @param diff The policy difference structure from which to get the + * differences. + * + * @return A vector of elements of type poldiff_role_trans_t, or NULL on + * error. The caller should <b>not</b> destroy the vector + * returned. If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_role_trans_vector(const poldiff_t * diff); + +/** + * Obtain a newly allocated string representation of a difference in + * a role_transition rule. + * + * @param diff The policy difference structure associated with the rule. + * @param role_trans The rule from which to generate the string. + * + * @return A string representation of the rule difference; the caller is + * responsible for free()ing this string. On error, return NULL and + * set errno. + */ + extern char *poldiff_role_trans_to_string(const poldiff_t * diff, const void *role_trans); + +/** + * Get the name of the source role from a role_transition difference. + * + * @param role_trans The rule from which to get the source role. + * + * @return Name of the source role on success and NULL on failure; + * if the call fails, errno will be set. The caller should not free the + * returned string. + */ + extern const char *poldiff_role_trans_get_source_role(const poldiff_role_trans_t * role_trans); + +/** + * Get the name of the target type from a role_transition difference. + * + * @param role_trans The rule from which to get the target type. + * + * @return Name of the target type on success and NULL on failure; + * if the call fails, errno will be set. The caller should not free the + * returned string. + */ + extern const char *poldiff_role_trans_get_target_type(const poldiff_role_trans_t * role_trans); + +/** + * Get the form of difference from a role_transition diff. + * + * @param role_trans The role_transition rule from which to get the + * difference form. + * + * @return The form of difference (one of POLDIFF_FORM_*) or + * POLDIFF_FORM_NONE on error. If the call fails, errno will be set. + */ + extern poldiff_form_e poldiff_role_trans_get_form(const void *role_trans); + +/** + * Get the original default type from a role_transition diff. Note that + * if this rule was added (form POLDIFF_FORM_ADDED or POLDIFF_FORM_ADD_TYPE) + * then the return value will be NULL. + * + * @param role_trans The role_transition rule from which to get the + * original default role. + * + * @return Name of the original default role. If there was no original role or + * upon error then return NULL. The caller should not free the returned + * string. + */ + extern const char *poldiff_role_trans_get_original_default(const poldiff_role_trans_t * role_trans); + +/** + * Get the modified default type from a role_transition diff. Note that if + * this rule was removed (form POLDIFF_FORM_REMOVED or + * POLDIFF_FORM_REMOVE_TYPE) then the return value will be NULL. + * + * @param role_trans The role_transition rule from which to get the + * modified default role. + * + * @return Name of the modified default role. If there was no modified role or + * upon error then return NULL. The caller should not free the returned + * string. + */ + extern const char *poldiff_role_trans_get_modified_default(const poldiff_role_trans_t * role_trans); + +#ifdef __cplusplus +} +#endif + +#endif /* POLDIFF_RBAC_DIFF_H */ diff --git a/libpoldiff/include/poldiff/role_diff.h b/libpoldiff/include/poldiff/role_diff.h new file mode 100644 index 0000000..9526cb5 --- /dev/null +++ b/libpoldiff/include/poldiff/role_diff.h @@ -0,0 +1,127 @@ +/** + * @file + * Public interface for computing semantic differences in roles. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef POLDIFF_ROLE_DIFF_H +#define POLDIFF_ROLE_DIFF_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <apol/vector.h> +#include <poldiff/poldiff.h> + + typedef struct poldiff_role poldiff_role_t; + +/** + * Get an array of statistics for the number of differences of each + * form for roles. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_role_get_stats(const poldiff_t * diff, size_t stats[5]); + +/** + * Get the vector of role differences from the role difference + * summary. + * + * @param diff The policy difference structure associated with the + * role difference summary. + * + * @return A vector of elements of type poldiff_role_t, or NULL on + * error. The caller should <b>not</b> destroy the vector + * returned. If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_role_vector(const poldiff_t * diff); + +/** + * Obtain a newly allocated string representation of a difference in + * a role. + * + * @param diff The policy difference structure associated with the role. + * @param role The role from which to generate the string. + * + * @return A string representation of role difference; the caller is + * responsible for free()ing this string. On error, return NULL and + * set errno. + */ + extern char *poldiff_role_to_string(const poldiff_t * diff, const void *role); + +/** + * Get the name of the role from a role diff. + * + * @param role The role from which to get the name. + * + * @return Name of the role on success and NULL on failure; if the + * call fails, errno will be set. The caller should not free the + * returned string. + */ + extern const char *poldiff_role_get_name(const poldiff_role_t * role); + +/** + * Get the form of difference from a role diff. + * + * @param role The role from which to get the difference form. + * + * @return The form of difference (one of POLDIFF_FORM_*) or + * POLDIFF_FORM_NONE on error. If the call fails, errno will be set. + */ + extern poldiff_form_e poldiff_role_get_form(const void *role); + +/** + * Get a vector of types added to the role. + * + * @param role The role diff from which to get the types vector. + * + * @return a vector of type names (type char *) that are allowed to + * the role in the modified policy. If no types were added the size + * of the returned vector will be 0. The caller must not destroy + * this vector. On error, errno will be set. + */ + extern const apol_vector_t *poldiff_role_get_added_types(const poldiff_role_t * role); + +/** + * Get a vector of types removed from the role. + * + * @param role The role diff from which to get the types vector. + * + * @return A vector of type names (type char *) that are allowed to + * the role in the original policy. If no types were removed the + * size of the returned vector will be 0. The caller must not + * destroy this vector. On error, errno will be set. + */ + extern const apol_vector_t *poldiff_role_get_removed_types(const poldiff_role_t * role); + +#ifdef __cplusplus +} +#endif + +#endif /* POLDIFF_ROLE_DIFF_H */ diff --git a/libpoldiff/include/poldiff/terule_diff.h b/libpoldiff/include/poldiff/terule_diff.h new file mode 100644 index 0000000..6d09e9d --- /dev/null +++ b/libpoldiff/include/poldiff/terule_diff.h @@ -0,0 +1,262 @@ +/** + * @file + * Public interface for computing semantic differences in te rules + * (type_transition, type_change, type_member). + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef POLDIFF_TERULE_DIFF_H +#define POLDIFF_TERULE_DIFF_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <apol/vector.h> +#include <poldiff/poldiff.h> + + typedef struct poldiff_terule poldiff_terule_t; + +/** + * Get an array of statistics for the number of differences of each + * form for TE type_change rules. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_terule_get_stats_change(const poldiff_t * diff, size_t stats[5]); + +/** + * Get an array of statistics for the number of differences of each + * form for TE type_member rules. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_terule_get_stats_member(const poldiff_t * diff, size_t stats[5]); + +/** + * Get an array of statistics for the number of differences of each + * form for TE type_transition rules. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_terule_get_stats_trans(const poldiff_t * diff, size_t stats[5]); + +/** + * Get the vector of te rule differences from the te rule difference + * summary for just type_change rules. + * + * @param diff The policy difference structure associated with the te + * rule difference summary. + * + * @return A vector of elements of type poldiff_terule_t, or NULL on + * error. The caller should <b>not</b> destroy the vector returned. + * If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_terule_vector_change(const poldiff_t * diff); + +/** + * Get the vector of te rule differences from the te rule difference + * summary for just type_member rules. + * + * @param diff The policy difference structure associated with the te + * rule difference summary. + * + * @return A vector of elements of type poldiff_terule_t, or NULL on + * error. The caller should <b>not</b> destroy the vector returned. + * If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_terule_vector_member(const poldiff_t * diff); + +/** + * Get the vector of te rule differences from the te rule difference + * summary for just type_transition rules. + * + * @param diff The policy difference structure associated with the te + * rule difference summary. + * + * @return A vector of elements of type poldiff_terule_t, or NULL on + * error. The caller should <b>not</b> destroy the vector returned. + * If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_terule_vector_trans(const poldiff_t * diff); + +/** + * Obtain a newly allocated string representation of a difference in + * a te rule. + * + * @param diff The policy difference structure associated with the te + * rule. + * @param terule The te rule from which to generate the string. + * + * @return A string representation of te rule difference; the caller + * is responsible for free()ing this string. On error, return NULL + * and set errno. + */ + extern char *poldiff_terule_to_string(const poldiff_t * diff, const void *terule); + +/** + * Get the form of difference from a te rule diff. + * + * @param terule The te rule from which to get the difference form. + * + * @return The form of difference (one of POLDIFF_FORM_*) or + * POLDIFF_FORM_NONE on error. + */ + extern poldiff_form_e poldiff_terule_get_form(const void *terule); + +/** + * Get the type of rule this is from a te rule diff. + * + * @param avrule The av rule from which to get the rule type. + * + * @return One of QPOL_RULE_TYPE_TRANS etc, suitable for printing via + * apol_rule_type_to_str(). + */ + extern uint32_t poldiff_terule_get_rule_type(const poldiff_terule_t * terule); + +/** + * Get the source type from a te rule diff. + * + * @param terule The te rule from which to get the type. + * + * @return A string for the type. <b>Do not free() this string.</b> + */ + extern const char *poldiff_terule_get_source_type(const poldiff_terule_t * terule); + +/** + * Get the target type from a te rule diff. + * + * @param terule The te rule from which to get the type. + * + * @return A string for the type. <b>Do not free() this string.</b> + */ + extern const char *poldiff_terule_get_target_type(const poldiff_terule_t * terule); + +/** + * Get the object class from a te rule diff. + * + * @param terule The te rule from which to get the class. + * + * @return A string for the class. <b>Do not free() this string.</b> + */ + extern const char *poldiff_terule_get_object_class(const poldiff_terule_t * terule); + +/** + * Get the conditional expression from a te rule diff. Note that + * this really returns a qpol_cond_t and an apol_policy_t, which may + * then be used in other routines such as apol_cond_expr_render(). + * + * @param diff The policy difference structure from which to get the + * stats. + * @param terule The te rule from which to get the conditional. + * @param cond Reference to the rule's conditional pointer, or NULL + * if the rule is not conditional. The caller must not free() this + * pointer. + * @param which_list Reference to which list the rule belongs, either + * 1 if in the true branch, 0 if in false. If the rule is not + * conditional then this value will be set to 1. + * @param p Reference to the policy from which the conditional + * originated, or NULL if the rule is not conditional. The caller + * must not destroy this pointer. + */ + extern void poldiff_terule_get_cond(const poldiff_t * diff, const poldiff_terule_t * terule, + const qpol_cond_t ** cond, uint32_t * which_list, const apol_policy_t ** p); + +/** + * Get the original default type for this type rule. Note that if + * this rule was added (form POLDIFF_FORM_ADDED or + * POLDIFF_FORM_ADD_TYPE) then the return value will be NULL. + * + * @param terule The te rule diff from which to get the original + * default type. + * + * @return Original default type. If there was no original type or + * upon error then return NULL. <b>Do not free() this string.</b> + */ + extern const char *poldiff_terule_get_original_default(const poldiff_terule_t * terule); + +/** + * Get the modified default type for this type rule. Note that if + * this rule was removed (form POLDIFF_FORM_REMOVED or + * POLDIFF_FORM_REMOVE_TYPE) then the return value will be NULL. + * + * @param terule The te rule diff from which to get the modified + * default type. + * + * @return Modified default type. If there was no modified type or + * upon error then return NULL. <b>Do not free() this string.</b> + */ + extern const char *poldiff_terule_get_modified_default(const poldiff_terule_t * terule); + +/** + * Get a vector of line numbers (of type unsigned long) for this te rule + * difference from the original policy. Note that if the form is + * POLDIFF_FORM_ADDED or POLDIFF_FORM_ADD_TYPE then this will return NULL. + * Also, if the original policy is a binary policy or line numbers are not yet + * enabled then this returns NULL. + * @see poldiff_enable_line_numbers() to enable line numbers. + * + * @param terule The te rule diff from which to get line numbers. + * + * @return A vector of line numbers (type unsigned long) for the rule + * in the original policy, or NULL if no numbers are available. + */ + extern apol_vector_t *poldiff_terule_get_orig_line_numbers(const poldiff_terule_t * terule); + +/** + * Get a vector of line numbers (of type unsigned long) for this te rule + * difference from the modified policy. Note that if the form is + * POLDIFF_FORM_REMOVED or POLDIFF_FORM_REMOVE_TYPE then this will return + * NULL. Also, if the modified policy is a binary policy or line numbers are + * not yet enabled then this returns NULL. + * @see poldiff_enable_line_numbers() to enable line numbers. + * + * @param terule The te rule diff from which to get line numbers. + * + * @return A vector of line numbers (type unsigned long) for the rule + * in the modified policy, or NULL if no numbers are available. + */ + extern apol_vector_t *poldiff_terule_get_mod_line_numbers(const poldiff_terule_t * terule); + +#ifdef __cplusplus +} +#endif + +#endif /* POLDIFF_TERULE_DIFF_H */ diff --git a/libpoldiff/include/poldiff/type_diff.h b/libpoldiff/include/poldiff/type_diff.h new file mode 100644 index 0000000..b92795b --- /dev/null +++ b/libpoldiff/include/poldiff/type_diff.h @@ -0,0 +1,132 @@ +/** + * @file + * Public interface for computing semantic differences of primary + * types. Aliases are resolved by the type mapping system + * (type_map.h); attributes are found in the attrib_diff.h header + * file. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef POLDIFF_TYPE_DIFF_H +#define POLDIFF_TYPE_DIFF_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <apol/vector.h> +#include <poldiff/poldiff.h> + + typedef struct poldiff_type poldiff_type_t; + +/** + * Get an array of statistics for the number of differences of each + * form for types. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_type_get_stats(const poldiff_t * diff, size_t stats[5]); + +/** + * Get the vector of type differences from the type difference + * summary. + * + * @param diff The policy difference structure associated with the + * type difference summary. + * + * @return A vector of elements of type poldiff_type_t, or NULL on + * error. The caller should <b>not</b> destroy the vector + * returned. If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_type_vector(const poldiff_t * diff); + +/** + * Obtain a newly allocated string representation of a difference in + * a type. + * + * @param diff The policy difference structure associated with the type. + * @param type The type from which to generate the string. + * + * @return A string representation of type difference; the caller is + * responsible for free()ing this string. On error, return NULL and + * set errno. + */ + extern char *poldiff_type_to_string(const poldiff_t * diff, const void *type); + +/** + * Get the name of the type from a type diff. + * + * @param type The type from which to get the name. + * + * @return Name of the type on success and NULL on failure; if the + * call fails, errno will be set. The caller should not free the + * returned string. + */ + extern const char *poldiff_type_get_name(const poldiff_type_t * type); + +/** + * Get the form of difference from a type diff. + * + * @param cls The type from which to get the difference form. + * + * @return The form of difference (one of POLDIFF_FORM_*) or + * POLDIFF_FORM_NONE on error. If the call fails, errno will be set. + */ + extern poldiff_form_e poldiff_type_get_form(const void *type); + +/** + * Get a vector of attributes added to the type. + * + * @param type The type diff from which to get the attribute + * vector. + * + * @return A vector of attribute names (type char *) that are + * assigned to the type in the modified policy. If no attributes + * were added the size of the returned vector will be 0. The + * caller must not destroy this vector. On error, errno will be set. + */ + extern const apol_vector_t *poldiff_type_get_added_attribs(const poldiff_type_t * type); + +/** + * Get a vector of attributes removed from the type. + * + * @param type The type diff from which to get the attribute + * vector. + * + * @return A vector of attribute names (type char *) that are + * assigned to the type in the original policy. If no attributes + * were removed the size of the returned vector will be 0. The + * caller must not destroy this vector. On error, errno will be set. + */ + extern const apol_vector_t *poldiff_type_get_removed_attribs(const poldiff_type_t * type); + +#ifdef __cplusplus +} +#endif + +#endif /* POLDIFF_TYPE_DIFF_H */ diff --git a/libpoldiff/include/poldiff/type_map.h b/libpoldiff/include/poldiff/type_map.h new file mode 100644 index 0000000..56eb742 --- /dev/null +++ b/libpoldiff/include/poldiff/type_map.h @@ -0,0 +1,153 @@ +/** + * @file + * Public interface for type equivalence mapping for semantic + * difference calculations. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef POLDIFF_TYPE_MAP_H +#define POLDIFF_TYPE_MAP_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <poldiff/poldiff.h> +#include <apol/vector.h> + + typedef struct poldiff_type_remap_entry poldiff_type_remap_entry_t; + +/** + * Note that a type(s) from the original policy should be remapped in + * the modified policy. Subsequent diffs will treat type(s) in + * orig_names to be equivalent to type(s) in mod_names. The created + * remap entry will be marked as enabled. + * + * It is an error for the size of both vectors to be greater than + * one. + * + * Note that you may only remap primary types, not attributes nor + * aliases. + * + * @param diff The difference structure associated with the types. + * Note that renaming a type will reset the status of previously run + * difference calculations and they will need to be rerun. + * @param orig_names A vector of type names (char *) in the original + * policy. + * @param mod_name A vector of type names (char *) in the modified + * policy to consider equivalent. + * + * @return 0 on success or < 0 on error; if the call fails, errno + * will be set and the poldiff object remains unchanged. + */ + extern int poldiff_type_remap_create(poldiff_t * diff, const apol_vector_t * orig_names, const apol_vector_t * mod_names); + +/** + * Get a vector of all identified type remap entries. The caller may + * then manipulate this list by selectively enabling/disabling + * individual entries. + * + * @param diff The difference structure associated with the types + * remaps. + * + * @return Vector of poldiff_type_remap_entry_t objects. The caller + * should not destroy this vector. + */ + extern apol_vector_t *poldiff_type_remap_get_entries(const poldiff_t * diff); + +/** + * Remove a poldiff_type_remap_entry object. This function will + * destroy the entry object afterwards. + * + * @param diff The difference structure associated with the types + * remaps. + * @param entry Type remap entry to remove and destroy. + */ + extern void poldiff_type_remap_entry_remove(poldiff_t * diff, poldiff_type_remap_entry_t * entry); + +/** + * Allocate and return a sorted vector of type names (char *) + * corresponding to the original types within a + * poldiff_type_remap_entry_t object. The strings themselves are to + * be considered immutable; if the caller needs them for future use + * it should duplicate them. + * + * @param diff Difference structure, for error reporting. + * @param entry Remap entry from which to get type names. + * + * @return Vector of type names. The caller is responsible for + * calling apol_vector_destroy() afterwards. Upon error return NULL + * and set errno. + */ + extern apol_vector_t *poldiff_type_remap_entry_get_original_types(const poldiff_t * diff, + const poldiff_type_remap_entry_t * entry); + +/** + * Allocate and return a sorted vector of type names (char *) + * corresponding to the modified types within a + * poldiff_type_remap_entry_t object. The strings themselves are to + * be considered immutable; if the caller needs them for future use + * it should duplicate them. + * + * @param diff Difference structure, for error reporting. + * @param entry Remap entry from which to get type names. + * + * @return Vector of type names. The caller is responsible for + * calling apol_vector_destroy() afterwards. Upon error return NULL + * and set errno. + */ + extern apol_vector_t *poldiff_type_remap_entry_get_modified_types(const poldiff_t * diff, + const poldiff_type_remap_entry_t * entry); + +/** + * Given a poldiff_type_remap_entry_t object, determine if was + * an inferred mapping or not. + * + * @param entry Remap entry from which to get its inference status. + * + * @return 1 if it was inferred, 0 if not, < 0 on error. + */ + extern int poldiff_type_remap_entry_get_is_inferred(const poldiff_type_remap_entry_t * entry); + +/** + * Given a poldiff_type_remap_entry_t object, determine if it is + * enabled or not. + * + * @param entry Remap entry from which to get its enabled status. + * + * @return 1 if it is enabled, 0 if not, < 0 on error. + */ + extern int poldiff_type_remap_entry_get_is_enabled(const poldiff_type_remap_entry_t * entry); + +/** + * Enable or disable a poldiff_type_remap_entry_t object. + * + * @param entry Remap entry from which to set its enabled status. + * @param enabled 0 to disable this entry, non-zero to enable it. + */ + extern void poldiff_type_remap_entry_set_enabled(poldiff_type_remap_entry_t * entry, int enabled); + +#ifdef __cplusplus +} +#endif + +#endif /* POLDIFF_TYPE_MAP_H */ diff --git a/libpoldiff/include/poldiff/user_diff.h b/libpoldiff/include/poldiff/user_diff.h new file mode 100644 index 0000000..0af50e6 --- /dev/null +++ b/libpoldiff/include/poldiff/user_diff.h @@ -0,0 +1,191 @@ +/** + * @file + * Public interface for computing semantic differences in users. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef POLDIFF_USER_DIFF_H +#define POLDIFF_USER_DIFF_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <apol/vector.h> +#include <poldiff/poldiff.h> + + typedef struct poldiff_user poldiff_user_t; + +/** + * Get an array of statistics for the number of differences of each + * form for users. + * + * @param diff The policy difference structure from which to get the + * stats. + * @param stats Array into which to write the numbers (array must be + * pre-allocated). The order of the values written to the array is + * as follows: number of items of form POLDIFF_FORM_ADDED, number of + * POLDIFF_FORM_REMOVED, number of POLDIFF_FORM_MODIFIED, number of + * POLDIFF_FORM_ADD_TYPE, and number of POLDIFF_FORM_REMOVE_TYPE. + */ + extern void poldiff_user_get_stats(const poldiff_t * diff, size_t stats[5]); + +/** + * Get the vector of user differences from the user difference + * summary. + * + * @param diff The policy difference structure associated with the + * user difference summary. + * + * @return A vector of elements of type poldiff_user_t, or NULL on + * error. The caller should <b>not</b> destroy the vector + * returned. If the call fails, errno will be set. + */ + extern const apol_vector_t *poldiff_get_user_vector(const poldiff_t * diff); + +/** + * Obtain a newly allocated string representation of a difference in + * a user. + * + * @param diff The policy difference structure associated with the user. + * @param user The user from which to generate the string. + * + * @return A string representation of user difference; the caller is + * responsible for free()ing this string. On error, return NULL and + * set errno. + */ + extern char *poldiff_user_to_string(const poldiff_t * diff, const void *user); + +/** + * Get the name of the user from a user diff. + * + * @param user The user from which to get the name. + * + * @return Name of the user on success and NULL on failure; if the + * call fails, errno will be set. The caller should not free the + * returned string. + */ + extern const char *poldiff_user_get_name(const poldiff_user_t * user); + +/** + * Get the form of difference from a user diff. + * + * @param user The user from which to get the difference form. + * + * @return The form of difference (one of POLDIFF_FORM_*) or + * POLDIFF_FORM_NONE on error. If the call fails, errno will be set. + */ + extern poldiff_form_e poldiff_user_get_form(const void *user); + +/** + * Get a vector of unmodified roles for the user. + * + * @param user The user diff from which to get the roles vector. + * + * @return A vector of role names (type char *) that are assigned to + * the user in the modified policy. If no roles were added the size + * of the returned vector will be 0. The caller must not destroy + * this vector. On error, errno will be set. + */ + extern const apol_vector_t *poldiff_user_get_unmodified_roles(const poldiff_user_t * user); + +/** + * Get a vector of roles added to the user. If a user was added by + * the modified policy then this vector will hold all of the roles. + * + * @param user The user diff from which to get the roles vector. + * + * @return A vector of role names (type char *) that are assigned to + * the user in the modified policy. If no roles were added the size + * of the returned vector will be 0. The caller must not destroy + * this vector. On error, errno will be set. + */ + extern const apol_vector_t *poldiff_user_get_added_roles(const poldiff_user_t * user); + +/** + * Get a vector of roles removed from the user. If a user was + * removed by the modified policy then this vector will hold all of + * the roles. + * + * @param user The user diff from which to get the roles vector. + * + * @return A vector of role names (type char *) that are assigned to + * the user in the original policy. If no roles were removed the + * size of the returned vector will be 0. The caller must not + * destroy this vector. On error, errno will be set. + */ + extern const apol_vector_t *poldiff_user_get_removed_roles(const poldiff_user_t * user); + +/** + * Get the original user's default MLS level. That is, this is the + * level assigned to the user in the original policy. If the level + * has the form POLDIFF_FORM_MODIFIED, then this indiciates that the + * user had the same sensitivity between the two policies but + * different categories. + * + * If neither policy is MLS or there are no differences in default + * level, then the return value is NULL. + * + * @param user The user diff from which to get default level. + * + * @return User's original default MLS level. Returns NULL upon + * error or if there is no difference in level. + */ + extern const poldiff_level_t *poldiff_user_get_original_dfltlevel(const poldiff_user_t * user); + +/** + * Get the modified user's MLS level. That is, this is the level + * assigned to the user in the modified policy. If the level had the + * same sensitivity but different categories call + * poldiff_user_get_original_dfltlevel() to get the difference; this + * function will return NULL. + * + * If neither policy is MLS or there are no differences in + * default level, then the return value is NULL. + * + * @param user The user diff from which to get default level. + * + * @return User's modified default MLS level. Returns NULL upon + * error, if there is no difference in level, or if the sensitivity + * was unchanged. + */ + extern const poldiff_level_t *poldiff_user_get_modified_dfltlevel(const poldiff_user_t * user); + +/** + * Get the change in user's assigned MLS range. + * + * If neither policy is MLS or there are no differences in range, + * then the return value is NULL. + * + * @param user The user diff from which to get assigned range + * differences. + * + * @return User's MLS range differences. Returns NULL upon error or + * if there is no difference in range. + */ + extern const poldiff_range_t *poldiff_user_get_range(const poldiff_user_t * user); + +#ifdef __cplusplus +} +#endif + +#endif /* POLDIFF_USER_DIFF_H */ diff --git a/libpoldiff/include/poldiff/util.h b/libpoldiff/include/poldiff/util.h new file mode 100644 index 0000000..445a92b --- /dev/null +++ b/libpoldiff/include/poldiff/util.h @@ -0,0 +1,45 @@ +/** + * @file + * + * Miscellaneous, uncategorized functions for libpoldiff. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef POLDIFF_UTIL_H +#define POLDIFF_UTIL_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +/** + * Return an immutable string describing this library's version. + * + * @return String describing this library. + */ + extern const char *libpoldiff_get_version(void); + +#ifdef __cplusplus +} +#endif + +#endif |