1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
|
/**
* @file
*
* Routines to query (role) allow and role_transition rules of a
* policy. This does not include access vector's allow rules, which
* are found in avrule-query.h.
*
* @author Jeremy A. Mowery jmowery@tresys.com
* @author Jason Tang jtang@tresys.com
*
* Copyright (C) 2006-2007 Tresys Technology, LLC
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#ifndef APOL_RBACRULE_QUERY_H
#define APOL_RBACRULE_QUERY_H
#ifdef __cplusplus
extern "C"
{
#endif
#include "policy.h"
#include "vector.h"
#include <qpol/policy.h>
typedef struct apol_role_allow_query apol_role_allow_query_t;
typedef struct apol_role_trans_query apol_role_trans_query_t;
/******************** (role) allow queries ********************/
/**
* Execute a query against all (role) allow rules within the policy.
*
* @param p Policy within which to look up allow rules.
* @param r Structure containing parameters for query. If this is
* NULL then return all allow rules.
* @param v Reference to a vector of qpol_role_allow_t. The vector
* will be allocated by this function. The caller must call
* apol_vector_destroy() afterwards. This will be set to NULL upon no
* results or upon error.
*
* @return 0 on success (including none found), negative on error.
*/
extern int apol_role_allow_get_by_query(const apol_policy_t * p, const apol_role_allow_query_t * r, apol_vector_t ** v);
/**
* Allocate and return a new role allow query structure. All fields
* are initialized, such that running this blank query results in
* returning all (role) allows within the policy. The caller must
* call apol_role_allow_query_destroy() upon the return value
* afterwards.
*
* @return An initialized role allow query structure, or NULL upon
* error.
*/
extern apol_role_allow_query_t *apol_role_allow_query_create(void);
/**
* Deallocate all memory associated with the referenced role allow
* query, and then set it to NULL. This function does nothing if the
* query is already NULL.
*
* @param r Reference to a role allow query structure to destroy.
*/
extern void apol_role_allow_query_destroy(apol_role_allow_query_t ** r);
/**
* Set a role allow query to return rules with a particular source
* role.
*
* @param p Policy handler, to report errors.
* @param r Role allow query to set.
* @param role Limit query to rules with this role as their source, or
* NULL to unset this field.
*
* @return 0 on success, negative on error.
*/
extern int apol_role_allow_query_set_source(const apol_policy_t * p, apol_role_allow_query_t * r, const char *role);
/**
* Set a role allow query to return rules with a particular target
* role. This field is ignored if
* apol_role_allow_query_set_source_any() is set to non-zero.
*
* @param p Policy handler, to report errors.
* @param r Role allow query to set.
* @param role Limit query to rules with this role as their target, or
* NULL to unset this field.
*
* @return 0 on success, negative on error.
*/
extern int apol_role_allow_query_set_target(const apol_policy_t * p, apol_role_allow_query_t * r, const char *role);
/**
* Set a role allow query to treat the source role as any. That is,
* use the same symbol for either source or target of a (role) allow
* rule. This flag does nothing if the source role is not set.
*
* @param p Policy handler, to report errors.
* @param r Role allow query to set.
* @param is_any Non-zero to use source symbol for any field, 0 to
* keep source as only source.
*
* @return Always 0.
*/
extern int apol_role_allow_query_set_source_any(const apol_policy_t * p, apol_role_allow_query_t * r, int is_any);
/**
* Set a role allow query to use regular expression searching for
* source and target fields. Strings will be treated as regexes
* instead of literals.
*
* @param p Policy handler, to report errors.
* @param r Role allow query to set.
* @param is_regex Non-zero to enable regex searching, 0 to disable.
*
* @return Always 0.
*/
extern int apol_role_allow_query_set_regex(const apol_policy_t * p, apol_role_allow_query_t * r, int is_regex);
/**
* Render a role allow rule to a string.
*
* @param policy Policy handler, to report errors.
* @param rule The rule to render.
*
* @return a newly malloc()'d string representation of the rule, or NULL on
* failure; if the call fails, errno will be set. The caller is responsible
* for calling free() on the returned string.
*/
extern char *apol_role_allow_render(const apol_policy_t * policy, const qpol_role_allow_t * rule);
/******************** role_transition queries ********************/
/**
* Execute a query against all role_transition rules within the
* policy.
*
* @param p Policy within which to look up role_transition rules.
* @param r Structure containing parameters for query. If this is
* NULL then return all role_transition rules.
* @param v Reference to a vector of qpol_role_trans_t. The vector
* will be allocated by this function. The caller must call
* apol_vector_destroy() afterwards. This will be set to NULL upon no
* results or upon error.
*
* @return 0 on success (including none found), negative on error.
*/
extern int apol_role_trans_get_by_query(const apol_policy_t * p, const apol_role_trans_query_t * r, apol_vector_t ** v);
/**
* Allocate and return a new role trans query structure. All fields
* are initialized, such that running this blank query results in
* returning all role_transitions within the policy. The caller must
* call apol_role_trans_query_destroy() upon the return value
* afterwards.
*
* @return An initialized role trans query structure, or NULL upon
* error.
*/
extern apol_role_trans_query_t *apol_role_trans_query_create(void);
/**
* Deallocate all memory associated with the referenced role trans
* query, and then set it to NULL. This function does nothing if the
* query is already NULL.
*
* @param r Reference to a role trans query structure to destroy.
*/
extern void apol_role_trans_query_destroy(apol_role_trans_query_t ** r);
/**
* Set a role trans query to return rules with a particular source
* role.
*
* @param p Policy handler, to report errors.
* @param r Role trans query to set.
* @param role Limit query to rules with this role as their source, or
* NULL to unset this field.
*
* @return 0 on success, negative on error.
*/
extern int apol_role_trans_query_set_source(const apol_policy_t * p, apol_role_trans_query_t * r, const char *role);
/**
* Set a role trans query to return rules with a particular target
* symbol. Symbol may be a type or attribute; if it is an alias then
* the query will convert it to its primary prior to searching. If
* is_indirect is non-zero then the search will be done indirectly.
* If the symbol is a type, then the query matches rules with one of
* the type's attributes. If the symbol is an attribute, then it
* matches rule with any of the attribute's types.
*
* @param p Policy handler, to report errors.
* @param r Role trans query to set.
* @param symbol Limit query to rules with this type or attribute as
* their target, or NULL to unset this field.
* @param is_indirect If non-zero, perform indirect matching.
*
* @return 0 on success, negative on error.
*/
extern int apol_role_trans_query_set_target(const apol_policy_t * p, apol_role_trans_query_t * r, const char *symbol,
int is_indirect);
/**
* Set a role trans query to return rules with a particular default
* role. This field is ignored if
* apol_role_trans_query_set_source_any() is set to non-zero.
*
* @param p Policy handler, to report errors.
* @param r Role trans query to set.
* @param role Limit query to rules with this role as their default, or
* NULL to unset this field.
*
* @return 0 on success, negative on error.
*/
extern int apol_role_trans_query_set_default(const apol_policy_t * p, apol_role_trans_query_t * r, const char *role);
/**
* Set a role trans query to treat the source role as any. That is,
* use the same symbol for either source or default of a
* role_transition rule. This flag does nothing if the source role is
* not set. Note that a role_transition's target is a type, so thus
* this flag does not affect its searching.
*
* @param p Policy handler, to report errors.
* @param r Role trans query to set.
* @param is_any Non-zero to use source symbol for source or default
* field, 0 to keep source as only source.
*
* @return Always 0.
*/
extern int apol_role_trans_query_set_source_any(const apol_policy_t * p, apol_role_trans_query_t * r, int is_any);
/**
* Set a role trans query to use regular expression searching for
* source, target, and default fields. Strings will be treated as
* regexes instead of literals. For the target type, matching will
* occur against the type name or any of its aliases.
*
* @param p Policy handler, to report errors.
* @param r Role trans query to set.
* @param is_regex Non-zero to enable regex searching, 0 to disable.
*
* @return Always 0.
*/
extern int apol_role_trans_query_set_regex(const apol_policy_t * p, apol_role_trans_query_t * r, int is_regex);
/**
* Render a role_transition rule to a string.
*
* @param policy Policy handler, to report errors.
* @param rule The rule to render.
*
* @return A newly malloc()'d string representation of the rule, or NULL on
* failure; if the call fails, errno will be set. The caller is responsible
* for calling free() on the returned string.
*/
extern char *apol_role_trans_render(const apol_policy_t * policy, const qpol_role_trans_t * rule);
#ifdef __cplusplus
}
#endif
#endif
|
