diff options
Diffstat (limited to 'libsefs/include/sefs/query.hh')
-rw-r--r-- | libsefs/include/sefs/query.hh | 329 |
1 files changed, 329 insertions, 0 deletions
diff --git a/libsefs/include/sefs/query.hh b/libsefs/include/sefs/query.hh new file mode 100644 index 0000000..c0e8921 --- /dev/null +++ b/libsefs/include/sefs/query.hh @@ -0,0 +1,329 @@ +/** + * @file + * Defines the public interface for file context queries. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef SEFS_QUERY_H +#define SEFS_QUERY_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <sys/types.h> +#include <regex.h> + +#ifndef __cplusplus +#include <stdbool.h> +#endif + +#include <apol/context-query.h> +#include <apol/mls-query.h> +#include <apol/policy-query.h> +#include <apol/vector.h> + +#ifdef __cplusplus +} + +#include <stdexcept> + +/** + * This class represents a query into a (subclass of) fclist. Create + * a query, fill in all accessors are needed, and then run the query. + * All fields must match for an entry to be returned. Where a fclist + * does not support a particular criterion (e.g., inode numbers for + * fcfile) that portion of the query is considered to be matching. + */ +class sefs_query +{ + friend class sefs_db; + friend class sefs_fcfile; + friend class sefs_filesystem; + + public: + + /** + * Allocate and return a new sefs query structure. All fields + * are initialized, such that running this blank query results + * in returning all entries within a fclist. + */ + sefs_query(); + + ~sefs_query(); + + /** + * Set a sefs query to match only entries with contexts with + * the user \a name. + * @param name Limit query to only contexts with this user, or + * NULL to clear this field. The string will be duplicated. + * @exception std::bad_alloc Out of memory. + */ + void user(const char *name) throw(std::bad_alloc); + + /** + * Set a sefs query to match only entries with contexts with + * the role \a name. + * @param name Limit query to only contexts with this role, or + * NULL to clear this field. The string will be duplicated. + * @exception std::bad_alloc Out of memory. + */ + void role(const char *name) throw(std::bad_alloc); + + /** + * Set a sefs query to match only entries with contexts with + * the type \a name. + * @param name Limit query to only contexts with this type, or + * NULL to clear this field. The string will be duplicated. + * @param indirect If true and if the fclist queried has + * access to a policy, also match contexts with types in + * attribute \a name or types which are an alias for \a name. + * If a policy is not available, this field is ignored, and + * exact string matching is used instead. This paramater is + * ignored if \a name is NULL. + * @exception std::bad_alloc Out of memory. + * @see sefs_fclist::associatePolicy() to associate a policy + * with a fclist. + */ + void type(const char *name, bool indirect) throw(std::bad_alloc); + + /** + * Set a sefs query to match only entries with contexts with a + * range of \a range. If the fclist is not MLS then \a name + * and \a match will be ignored. + * @param name Limit query to only contexts matching this + * string representing the MLS range, or NULL to clear this + * field. The string will be duplicated. + * @param match If non-zero and the fclist queried has access + * to a policy, match the range using the specified semantics; + * this should be one of APOL_QUERY_SUB, APOL_QUERY_SUPER, or + * APOL_QUERY_EXACT. (The range string will be converted + * automatically into an apol_mls_range_t object.) If a + * policy is not available or \a match is zero, exact string + * matching is used instead. Note, if a policy is available + * the regex flag is ignored if \a match is non-zero. This + * parameter is ignored if \a range is NULL. + * @exception std::bad_alloc Out of memory. + * @see sefs_fclist::associatePolicy() to associate a policy + * with a fclist. + */ + void range(const char *name, int match) throw(std::bad_alloc); + + /** + * Set a sefs query to match only entries with object class \a + * objclass. + * + * <em>Note:</em> If the query is run against a fcfile, then + * entries without explicit object classes (i.e., no explicit + * <tt>--</tt>, <tt>-d</tt>, etc.) will always match + * irrespective of the query's object class field. + * + * @param Numeric identifier for an objclass, one of + * QPOL_CLASS_FILE, QPOL_CLASS_DIR, etc., as defined in + * <qpol/genfscon_query.h>. Use QPOL_CLASS_ALL to match all + * object classes. + */ + void objectClass(uint32_t objclass); + + /** + * Set a sefs query to match only entries with object class \a + * name. The \a name parameter is not affected by regex(). + * + * @param name Limit query to only entries with this object + * class, or NULL to clear this field. The incoming string + * must be legal according to apol_str_to_objclass(). + * + * @see objectClass(uint32_t) for note about fcfiles. + */ + void objectClass(const char *name); + + /** + * Set a sefs query to match only entries with path \a path. + * + * <em>Note:</em> If the query is run against a fcfile, the + * behavior of matching paths is slightly different. For each + * of fcfile's entries, that entry's regular expression is + * matched against \a path. This is the reverse for other + * types of fclist, where \a path matches an entry's path if + * \a path is a substring. (If sefs_query::regex() is set to + * true, \a path is instead treated as a regular expression.) + * + * @param str Limit query to only entries containing this + * path, or NULL to clear this field. The string will be + * duplicated. + * @exception std::bad_alloc Out of memory. + */ + void path(const char *str) throw(std::bad_alloc); + + /** + * Set a sefs query to match only entries with a given inode + * number. + * @param ino Limit query to only entries with this inode + * number, or 0 to clear this field. + */ + void inode(ino64_t ino); + + /** + * Set a sefs query to match only entries with a given device + * name. + * @param str Limit query to only entries with this device + * name, or NULL to clear this string. The string will be + * duplicated. + * @exception std::bad_alloc Out of memory. + * @see sefs_filesystem::getDevName() to convert between dev_t + * and a name. + */ + void dev(const char *str) throw(std::bad_alloc); + + /** + * Set a sefs query to use regular expression matching for + * string fields. + * @param r If true then use regular expression matching; + * otherwise use only exact string matching. + */ + void regex(bool r); + + private: + /** + * Compile the regular expressions stored within this query + * object. It is safe to call this function multiple times. + * + * @exception std::bad_alloc Out of memory. + * @exception std::invalid_argument One or more invalid regular + * expressions is invalid. + */ + void compile() throw(std::bad_alloc, std::invalid_argument); + + char *_user, *_role, *_type, *_range, *_path, *_dev; + uint32_t _objclass; + bool _indirect, _regex, _recursive; + int _rangeMatch; + ino64_t _inode; + bool _recompiled; + regex_t *_reuser, *_rerole, *_retype, *_rerange, *_repath, *_redev; +}; + +extern "C" +{ +#endif + +//we do not want to wrap two copies of everything so have SWIG ignore +//the compatibility section. +#ifndef SWIG + + typedef struct sefs_query sefs_query_t; + +/** + * Allocate and return a new sefs query structure. + * @see sefs_query::sefs_query() + */ + extern sefs_query_t *sefs_query_create(); + +/** + * Deallocate all memory associated with the referenced sefs query, + * and then set it to NULL. This function does nothing if the query + * is already NULL. + * @param query Reference to a sefs query structure to destroy. + */ + extern void sefs_query_destroy(sefs_query_t ** query); + +/** + * Set a sefs query to match only entries with contexts with the user + * \a name. + * @see sefs_query::user() + */ + extern int sefs_query_set_user(sefs_query_t * query, const char *name); + +/** + * Set a sefs query to match only entries with contexts with the role + * \a name. + * @see sefs_query::role() + */ + extern int sefs_query_set_role(sefs_query_t * query, const char *name); + +/** + * Set a sefs query to match only entries with contexts with the type + * \a name. + * @see sefs_query::type() + * @see sefs_fclist_associate_policy() to associate a policy with a + * fclist. + */ + extern int sefs_query_set_type(sefs_query_t * query, const char *name, bool indirect); + +/** + * Set a sefs query to match only entries with contexts with a range + * of \a range. + * @see sefs_query::range() + * @see sefs_fclist_associate_policy() to associate a policy with a + * fclist. + */ + extern int sefs_query_set_range(sefs_query_t * query, const char *range, int match); + +/** + * Set a sefs query to match only entries with object class \a + * objclass. + * @return Always 0. + * @see sefs_query::objectClass(uint32_t) + */ + extern int sefs_query_set_object_class(sefs_query_t * query, uint32_t objclass); + +/** + * Set a sefs query to match only entries with object class \a name. + * @return Always 0. + * @see sefs_query::objectClass(const char *) + */ + extern int sefs_query_set_object_class_str(sefs_query_t * query, const char *name); + +/** + * Set a sefs query to match only entries with path \a path. + * @see sefs_query::path() + */ + extern int sefs_query_set_path(sefs_query_t * query, const char *path); + +/** + * Set a sefs query to match only entries with a given inode number. + * @return Always 0. + * @see sefs_query::inode() + */ + extern int sefs_query_set_inode(sefs_query_t * query, ino64_t inode); + +/** + * Set a sefs query to match only entries with a given device number. + * @see sefs_query::dev() + */ + extern int sefs_query_set_dev(sefs_query_t * query, const char *dev); + +/** + * Set a sefs query to use regular expression matching for string + * fields. + * @return Always 0. + * @see sefs_query::regex() + */ + extern int sefs_query_set_regex(sefs_query_t * query, bool regex); + +#endif /* SWIG */ + +#ifdef __cplusplus +} +#endif + +#endif /* SEFS_QUERY_H */ |