1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
|
/**
* @file
*
* Routines to perform a two-types relationship analysis.
*
* @author Jeremy A. Mowery jmowery@tresys.com
* @author Jason Tang jtang@tresys.com
*
* Copyright (C) 2003-2007 Tresys Technology, LLC
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#ifndef APOL_TYPES_RELATION_ANALYSIS_H
#define APOL_TYPES_RELATION_ANALYSIS_H
#ifdef __cplusplus
extern "C"
{
#endif
#include "policy.h"
#include "vector.h"
#include <qpol/policy.h>
/* Specify a which types relationship analysis/analyses to run using
* these bit values.
*/
#define APOL_TYPES_RELATION_COMMON_ATTRIBS 0x0001
#define APOL_TYPES_RELATION_COMMON_ROLES 0x0002
#define APOL_TYPES_RELATION_COMMON_USERS 0x0004
#define APOL_TYPES_RELATION_SIMILAR_ACCESS 0x0010
#define APOL_TYPES_RELATION_DISSIMILAR_ACCESS 0x0020
#define APOL_TYPES_RELATION_ALLOW_RULES 0x0100
#define APOL_TYPES_RELATION_TYPE_RULES 0x0200
#define APOL_TYPES_RELATION_DOMAIN_TRANS_AB 0x0400
#define APOL_TYPES_RELATION_DOMAIN_TRANS_BA 0x0800
#define APOL_TYPES_RELATION_DIRECT_FLOW 0x1000
#define APOL_TYPES_RELATION_TRANS_FLOW_AB 0x4000
#define APOL_TYPES_RELATION_TRANS_FLOW_BA 0x8000
typedef struct apol_types_relation_analysis apol_types_relation_analysis_t;
typedef struct apol_types_relation_result apol_types_relation_result_t;
typedef struct apol_types_relation_access apol_types_relation_access_t;
/********** functions to do types relation analysis **********/
/**
* Execute a two types relationship analysis against a particular
* policy.
*
* @param p Policy within which to look up relationships.
* @param tr A non-NULL structure containing parameters for analysis.
* @param r Reference to a apol_types_relation_result_t. The object
* will be allocated by this function. The caller must call
* apol_types_relation_result_destroy() afterwards. This will be set
* to NULL upon no results or upon error.
*
* @return 0 on success, negative on error.
*/
extern int apol_types_relation_analysis_do(apol_policy_t * p,
const apol_types_relation_analysis_t * tr, apol_types_relation_result_t ** r);
/**
* Allocate and return a new two types relationship analysis
* structure. All fields are cleared; one must fill in the details of
* the analysis before running it. The caller must call
* apol_types_relation_analysis_destroy() upon the return value
* afterwards.
*
* @return An initialized two types relationship analysis structure, or
* NULL upon error.
*/
extern apol_types_relation_analysis_t *apol_types_relation_analysis_create(void);
/**
* Deallocate all memory associated with the referenced types relation
* analysis, and then set it to NULL. This function does nothing if
* the analysis is already NULL.
*
* @param tr Reference to a types relation analysis structure to
* destroy.
*/
extern void apol_types_relation_analysis_destroy(apol_types_relation_analysis_t ** tr);
/**
* Set a types relation analysis to begin analysis from this first
* type. This function must be called prior to running the analysis.
*
* @param p Policy handler, to report errors.
* @param tr Types relation analysis to set.
* @param name Perform analysis with this non-NULL name.
*
* @return 0 on success, negative on error.
*/
extern int apol_types_relation_analysis_set_first_type(const apol_policy_t * p, apol_types_relation_analysis_t * tr,
const char *name);
/**
* Set a types relation analysis to begin analysis from this other
* type. This function must be called prior to running the analysis.
*
* @param p Policy handler, to report errors.
* @param tr Types relation analysis to set.
* @param name Perform analysis with this other non-NULL name.
*
* @return 0 on success, negative on error.
*/
extern int apol_types_relation_analysis_set_other_type(const apol_policy_t * p, apol_types_relation_analysis_t * tr,
const char *name);
/**
* Set a types relation analysis to run the specified
* analysis/analyses. This is a bitmap; use the defines
* APOL_TYPES_RELATION_COMMON_ATTRIBUTES etc. to specify which one(s)
* to run.
*
* @param p Policy handler, to report errors.
* @param tr Types relation analysis to set.
* @param analyses Bitmap to indicate which analyses to run, or 0 to
* run them all.
*
* @return Always 0.
*/
extern int apol_types_relation_analysis_set_analyses(const apol_policy_t * p, apol_types_relation_analysis_t * tr,
unsigned int analyses);
/*************** functions to access types relation results ***************/
/**
* Deallocate all memory associated with a types relation analysis
* result, including the pointer itself. This function does nothing
* if the result is already NULL.
*
* @param result Reference to a types relation result structure to
* destroy.
*/
extern void apol_types_relation_result_destroy(apol_types_relation_result_t ** result);
/**
* Return the vector of attributes common to the two types. This is a
* vector of qpol_type_t pointers. The caller <b>should not</b> call
* apol_vector_destroy() upon the returned vector. If the user did
* not request this analysis then the return value will be NULL.
*
* @param result Types relation result from which to get common
* attributes.
*
* @return Vector of common attributes, or NULL if analysis was not
* run.
*/
extern const apol_vector_t *apol_types_relation_result_get_attributes(const apol_types_relation_result_t * result);
/**
* Return the vector of roles common to the two types. This is a
* vector of qpol_role_t pointers. The caller <b>should not</b> call
* apol_vector_destroy() upon the returned vector. If the user did
* not request this analysis then the return value will be NULL.
*
* @param result Types relation result from which to get common roles.
*
* @return Vector of common roles, or NULL if analysis was not run.
*/
extern const apol_vector_t *apol_types_relation_result_get_roles(const apol_types_relation_result_t * result);
/**
* Return the vector of users common to the two types. This is a
* vector of qpol_user_t pointers. The caller <b>should not</b> call
* apol_vector_destroy() upon the returned vector. If the user did
* not request this analysis then the return value will be NULL.
*
* @param result Types relation result from which to get common users.
*
* @return Vector of common users, or NULL if analysis was not run.
*/
extern const apol_vector_t *apol_types_relation_result_get_users(const apol_types_relation_result_t * result);
/**
* Return the vector of accesses similar to the two types. This is a
* vector of apol_types_relation_access_t pointers. The vector will
* contain only the rules that the first type had. Call
* apol_types_relation_result_get_similar_other() to get the
* complementary vector (i.e., both vectors will have the same types).
* The caller <b>should not</b> call apol_vector_destroy() upon the
* returned vector. If the user did not request this analysis then
* the return value will be NULL.
*
* @param result Types relation result from which to get similar accesses.
*
* @return Vector of similar accesses, or NULL if analysis was not run.
*/
extern const apol_vector_t *apol_types_relation_result_get_similar_first(const apol_types_relation_result_t * result);
/**
* Return the vector of accesses similar to the two types. This is a
* vector of apol_types_relation_access_t pointers. The vector will
* contain only the rules that the other type had. Call
* apol_types_relation_result_get_similar_first() to get the
* complementary vector (i.e., both vectors will have the same types).
* The caller <b>should not</b> call apol_vector_destroy() upon the
* returned vector. If the user did not request this analysis then
* the return value will be NULL.
*
* @param result Types relation result from which to get similar accesses.
*
* @return Vector of similar accesses, or NULL if analysis was not run.
*/
extern const apol_vector_t *apol_types_relation_result_get_similar_other(const apol_types_relation_result_t * result);
/**
* Return the vector of accesses dissimilar for the first type (i.e.,
* types that the first type reaches that the other type does not).
* This is a vector of apol_types_relation_access_t pointers. The
* caller <b>should not</b> call apol_vector_destroy() upon the
* returned vector. If the user did not request this analysis then
* the return value will be NULL.
*
* @param result Types relation result from which to get dissimilar
* accesses.
*
* @return Vector of dissimilar accesses, or NULL if analysis was not
* run.
*/
extern const apol_vector_t *apol_types_relation_result_get_dissimilar_first(const apol_types_relation_result_t * result);
/**
* Return the vector of accesses dissimilar for the other type (i.e.,
* types that the other type reaches that the first type does not).
* This is a vector of apol_types_relation_access_t pointers. The
* caller <b>should not</b> call apol_vector_destroy() upon the
* returned vector. If the user did not request this analysis then
* the return value will be NULL.
*
* @param result Types relation result from which to get dissimilar
* accesses.
*
* @return Vector of dissimilar accesses, or NULL if analysis was not
* run.
*/
extern const apol_vector_t *apol_types_relation_result_get_dissimilar_other(const apol_types_relation_result_t * result);
/**
* Return the vector of allow rules involving both types (allow one
* type to the other). This is a vector of qpol_avrule_t pointers.
* The caller <b>should not</b> call apol_vector_destroy() upon the
* returned vector. If the user did not request this analysis then
* the return value will be NULL.
*
* @param result Types relation result from which to get rules.
*
* @return Vector of allow rules, or NULL if analysis was not run.
*/
extern const apol_vector_t *apol_types_relation_result_get_allowrules(const apol_types_relation_result_t * result);
/**
* Return the vector of type transition / type change rules involving
* both types. This is a vector of qpol_terule_t pointers. The
* caller <b>should not</b> call apol_vector_destroy() upon the
* returned vector. If the user did not request this analysis then
* the return value will be NULL.
*
* @param result Types relation result from which to get rules.
*
* @return Vector of type enforcement rules, or NULL if analysis was
* not run.
*/
extern const apol_vector_t *apol_types_relation_result_get_typerules(const apol_types_relation_result_t * result);
/**
* Return the vector of apol_infoflow_result_t pointers corresponding
* to a direct information flow analysis between both types. The
* caller <b>should not</b> call apol_vector_destroy() upon the
* returned vector. If the user did not request this analysis then
* the return value will be NULL.
*
* @param result Types relation result from which to get information
* flows.
*
* @return Vector of infoflow results, or NULL if analysis was not
* run.
*/
extern const apol_vector_t *apol_types_relation_result_get_directflows(const apol_types_relation_result_t * result);
/**
* Return the vector of apol_infoflow_result_t pointers corresponding
* to a transitive information flow analysis between the first type to
* the other. The caller <b>should not</b> call apol_vector_destroy()
* upon the returned vector. If the user did not request this
* analysis then the return value will be NULL.
*
* @param result Types relation result from which to get information
* flows.
*
* @return Vector of infoflow results, or NULL if analysis was not
* run.
*/
extern const apol_vector_t *apol_types_relation_result_get_transflowsAB(const apol_types_relation_result_t * result);
/**
* Return the vector of apol_infoflow_result_t pointers corresponding
* to a transitive information flow analysis between the other type to
* the first. The caller <b>should not</b> call apol_vector_destroy()
* upon the returned vector. If the user did not request this
* analysis then the return value will be NULL.
*
* @param result Types relation result from which to get information
* flows.
*
* @return Vector of infoflow results, or NULL if analysis was not
* run.
*/
extern const apol_vector_t *apol_types_relation_result_get_transflowsBA(const apol_types_relation_result_t * result);
/**
* Return the vector of apol_domain_trans_result_t pointers
* corresponding to a domain transition analysis between the first
* type to the other. The caller <b>should not</b> call
* apol_vector_destroy() upon the returned vector. If the user did
* not request this analysis then the return value will be NULL.
*
* @param result Types relation result from which to get domain
* transitions.
*
* @return Vector of domain transition results, or NULL if analysis
* was not run.
*/
extern const apol_vector_t *apol_types_relation_result_get_domainsAB(const apol_types_relation_result_t * result);
/**
* Return the vector of apol_domain_trans_result_t pointers
* corresponding to a domain transition analysis between the other
* type to the first. The caller <b>should not</b> call
* apol_vector_destroy() upon the returned vector. If the user did
* not request this analysis then the return value will be NULL.
*
* @param result Types relation result from which to get domain
* transitions.
*
* @return Vector of domain transition results, or NULL if analysis
* was not run.
*/
extern const apol_vector_t *apol_types_relation_result_get_domainsBA(const apol_types_relation_result_t * result);
/**
* Given a types relation access node, return the type stored within.
*
* @param a Types relation access node.
*
* @return Pointer to the type stored within.
*/
extern const qpol_type_t *apol_types_relation_access_get_type(const apol_types_relation_access_t * a);
/**
* Given a types relation access node, return the vector of
* qpol_avrule_t pointers stored within.
*
* @param a Types relation access node.
*
* @return Pointer to the vector of rules. The caller <b>must not</b>
* destroy this vector.
*/
extern const apol_vector_t *apol_types_relation_access_get_rules(const apol_types_relation_access_t * a);
#ifdef __cplusplus
}
#endif
#endif
|
