1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
|
/**
* @file
* Defines the public interface the QPol policy.
*
* @author Jeremy A. Mowery jmowery@tresys.com
* @author Jason Tang jtang@tresys.com
* @author Brandon Whalen bwhalen@tresys.com
*
* Copyright (C) 2006-2008 Tresys Technology, LLC
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#ifndef QPOL_POLICY_H
#define QPOL_POLICY_H
#ifdef __cplusplus
extern "C"
{
#endif
#include <stdarg.h>
#include <stdint.h>
typedef struct qpol_policy qpol_policy_t;
#include <qpol/avrule_query.h>
#include <qpol/bool_query.h>
#include <qpol/class_perm_query.h>
#include <qpol/cond_query.h>
#include <qpol/constraint_query.h>
#include <qpol/context_query.h>
#include <qpol/fs_use_query.h>
#include <qpol/isid_query.h>
#include <qpol/iterator.h>
#include <qpol/genfscon_query.h>
#include <qpol/mls_query.h>
#include <qpol/mlsrule_query.h>
#include <qpol/module.h>
#include <qpol/netifcon_query.h>
#include <qpol/nodecon_query.h>
#include <qpol/permissive_query.h>
#include <qpol/polcap_query.h>
#include <qpol/portcon_query.h>
#include <qpol/rbacrule_query.h>
#include <qpol/role_query.h>
#include <qpol/syn_rule_query.h>
#include <qpol/terule_query.h>
#include <qpol/type_query.h>
#include <qpol/user_query.h>
typedef void (*qpol_callback_fn_t) (void *varg, const struct qpol_policy * policy, int level, const char *fmt,
va_list va_args);
#define QPOL_POLICY_UNKNOWN -1
#define QPOL_POLICY_KERNEL_SOURCE 0
#define QPOL_POLICY_KERNEL_BINARY 1
#define QPOL_POLICY_MODULE_BINARY 2
/**
* When loading the policy, do not load neverallow rules.
*/
#define QPOL_POLICY_OPTION_NO_NEVERALLOWS 0x00000001
/**
* When loading the policy, do not load any rules;
* this option implies QPOL_POLICY_OPTION_NO_NEVERALLOWS.
*/
#define QPOL_POLICY_OPTION_NO_RULES 0x00000002
/**
* When loading the policy, attempt to interpret it as the way the
* running system would. If the policy is of a version higher than
* one supported by the system, then the policy will be downgraded to
* the system's maximum value.
*/
#define QPOL_POLICY_OPTION_MATCH_SYSTEM 0x00000004
/**
* List of capabilities a policy may have. This list represents
* features of policy that may differ from version to version or
* based upon the format of the policy file. Note that "polcaps" in
* this case refers to "policy capabilities" that were introduced
* with version 22 policies.
*/
typedef enum qpol_capability
{
/** The policy format stores the names of attributes. */
QPOL_CAP_ATTRIB_NAMES,
/** The policy format stores the syntactic rule type sets. */
QPOL_CAP_SYN_RULES,
/** The policy format stores rule line numbers (implies QPOL_CAP_SYN_RULES). */
QPOL_CAP_LINE_NUMBERS,
/** The policy version supports booleans and conditional statements. */
QPOL_CAP_CONDITIONALS,
/** The policy version supports MLS components and statements. */
QPOL_CAP_MLS,
/** The policy version has policy capabilities (polcaps). */
QPOL_CAP_POLCAPS,
/** The policy format supports linking loadable modules. */
QPOL_CAP_MODULES,
/** The policy was loaded with av/te rules. */
QPOL_CAP_RULES_LOADED,
/** The policy source may be displayed. */
QPOL_CAP_SOURCE,
/** The policy supports and was loaded with neverallow rules. */
QPOL_CAP_NEVERALLOW
} qpol_capability_e;
/**
* Open a policy from a passed in file path.
* @param filename The name of the file to open.
* @param policy The policy to populate. The caller should not free
* this pointer.
* @param fn (Optional) If non-NULL, the callback to be used by the handle.
* @param varg (Optional) The argument needed by the handle callback.
* @param options Options to control loading only portions of a policy;
* must be a bitwise-or'd set of QPOL_POLICY_OPTION_* from above.
* @return Returns one of QPOL_POLICY_KERNEL_SOURCE,
* QPOL_POLICY_KERNEL_BINARY, or QPOL_POLICY_MODULE_BINARY on success
* and < 0 on failure; if the call fails, errno will be set and
* *policy will be NULL.
*/
extern int qpol_policy_open_from_file(const char *filename, qpol_policy_t ** policy, qpol_callback_fn_t fn, void *varg,
const int options);
/**
* Open a policy from a passed in file path but do not load any rules.
* @param filename The name of the file to open.
* @param policy The policy to populate. The caller should not free
* this pointer.
* @param fn (Optional) If non-NULL, the callback to be used by the handle.
* @param varg (Optional) The argument needed by the handle callback.
* @return Returns one of QPOL_POLICY_* above on success and < 0 on failure;
* if the call fails, errno will be set and *policy will be NULL.
* @deprecated use qpol_policy_open_from_file() with the option QPOL_POLICY_OPTION_NO_RULES instead.
*/
extern int qpol_policy_open_from_file_no_rules(const char *filename, qpol_policy_t ** policy, qpol_callback_fn_t fn,
void *varg) __attribute__ ((deprecated));
/**
* Open a policy from a passed in buffer.
* @param policy The policy to populate. The caller should not free
* this pointer.
* @param filedata The policy file stored in memory .
* @param size The size of filedata
* @param fn (Optional) If non-NULL, the callback to be used by the handle.
* @param varg (Optional) The argument needed by the handle callback.
* @param options Options to control loading only portions of a policy;
* must be a bitwise-or'd set of QPOL_POLICY_OPTION_* from above.
* @return Returns 0 on success and < 0 on failure; if the call fails,
* errno will be set and *policy will be NULL.
*/
extern int qpol_policy_open_from_memory(qpol_policy_t ** policy, const char *filedata, size_t size, qpol_callback_fn_t fn,
void *varg, const int options);
/**
* Close a policy and deallocate its memory. Does nothing if it is
* already NULL.
* @param policy Reference to the policy to close. The pointer will
* be set to NULL afterwards.
*/
extern void qpol_policy_destroy(qpol_policy_t ** policy);
/**
* Re-evaluate all conditionals in the policy updating the state
* and setting the appropriate rule list as emabled for each.
* This call modifies the policy.
* @param policy The policy for which to re-evaluate the conditionals.
* This policy will be modified by this function.
* @return 0 on success and < 0 on failure; if the call fails,
* errno will be set. On failure, the policy state may be inconsistent.
*/
extern int qpol_policy_reevaluate_conds(qpol_policy_t * policy);
/**
* Append a module to a policy. The policy now owns the module.
* Note that the caller must still invoke qpol_policy_rebuild()
* to update the policy.
* @param policy The policy to which to add the module.
* @param module The module to append. <b>The caller should not
* destroy this module if this function succeeds.</b>
* @return 0 on success and < 0 on failure; if the call fails,
* errno will be set and both the policy and the module will
* remain unchanged. If the call fails, the caller is still
* responsible for calling qpol_module_destroy().
*/
extern int qpol_policy_append_module(qpol_policy_t * policy, qpol_module_t * module);
/**
* Rebuild the policy. If the options provided are the same as those
* provied to the last call to rebuild or open and the modules were not
* changed, this function does nothing; otherwise, re-link all enabled
* modules with the base and then call expand. If the syntactic rule
* table was previously built, the caller should call
* qpol_policy_build_syn_rule_table() after calling this function.
* @param policy The policy to rebuild.
* This policy will be altered by this function.
* @param options Options to control loading only portions of a policy;
* must be a bitwise-or'd set of QPOL_POLICY_OPTION_* from above.
* @return 0 on success and < 0 on failure; if the call fails,
* errno will be set and the policy will be reverted to its previous state.
*/
extern int qpol_policy_rebuild(qpol_policy_t * policy, const int options);
/**
* Get an iterator of all modules in a policy.
* @param policy The policy from which to get the iterator.
* @param iter Iteraror of modules (of type qpol_module_t) returned.
* The caller should not destroy the modules returned by
* qpol_iterator_get_item().
* @return 0 on success and < 0 on failure; if the call fails,
* errno will be set and *iter will be NULL.
*/
extern int qpol_policy_get_module_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter);
/**
* Get the version number of the policy.
* @param policy The policy for which to get the version.
* @param version Pointer to the integer to set to the version number.
* @return Returns 0 on success and < 0 on failure; if the call fails,
* errno will be set and *version will be 0.
*/
extern int qpol_policy_get_policy_version(const qpol_policy_t * policy, unsigned int *version);
/**
* Get the type of policy (source, binary, or module).
* @param policy The policy from which to get the type.
* @param type Pointer to the integer in which to store the type.
* Value will be one of QPOL_POLICY_* from above.
* @return 0 on success and < 0 on failure; if the call fails,
* errno will be set and *type will be QPOL_POLICY_UNKNOWN.
*/
extern int qpol_policy_get_type(const qpol_policy_t * policy, int *type);
/**
* Determine if a policy has support for a specific capability.
* @param policy The policy to check.
* @param cap The capability for which to check. Must be one of QPOL_CAP_*
* defined above.
* @return Non-zero if the policy has the specified capability, and zero otherwise.
*/
extern int qpol_policy_has_capability(const qpol_policy_t * policy, qpol_capability_e cap);
#ifdef __cplusplus
}
#endif
#endif
|
