1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
|
/**
* @file
* Defines the public interface for the file context list abstract
* object. A user must call a constructor for one of sefs_fcfile_t,
* sefs_db_t, or sefs_filesystem_t to create a sefs_fclist_t object.
*
* @author Jeremy A. Mowery jmowery@tresys.com
* @author Jason Tang jtang@tresys.com
*
* Copyright (C) 2007 Tresys Technology, LLC
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#ifndef SEFS_FCLIST_H
#define SEFS_FCLIST_H
#include <sefs/entry.hh>
#include <sefs/query.hh>
#ifdef __cplusplus
extern "C"
{
#endif
#include <selinux/selinux.h>
#include <stdarg.h>
#ifndef __cplusplus
#include <stdbool.h>
#endif
#include <apol/policy.h>
#define SEFS_MSG_ERR 1 /*!< Message describes a fatal error. */
#define SEFS_MSG_WARN 2 /*!< Message is issued as a warning but does not represent a fatal error. */
#define SEFS_MSG_INFO 3 /*!< Message is issued for inormational reasons and does not represent an atypical state. */
struct sefs_fclist;
typedef void (*sefs_callback_fn_t) (void *varg, const struct sefs_fclist * fclist, int level, const char *fmt,
va_list argp);
/**
* Possible types of fclist for use with sefs_fclist_get_data().
*/
typedef enum sefs_fclist_type
{
SEFS_FCLIST_TYPE_NONE = 0, /*!< Not an actual type, used for error conditions */
SEFS_FCLIST_TYPE_FILESYSTEM, /*!< get_data returns sefs_filesystem_t, a representation of a file system */
SEFS_FCLIST_TYPE_FCFILE, /*!< get_data returns sefs_fcfile_t, a representation of a collection of file_context files */
SEFS_FCLIST_TYPE_DB /*!< get_data returns sefs_db_t, a representation of a database of file system contexts */
} sefs_fclist_type_e;
/**
* Invoke a sefs_fclist_t's callback for an error, passing it a format
* string and arguments.
*/
#define SEFS_ERR(fclist, format, ...) sefs_fclist_handleMsg(fclist, SEFS_MSG_ERR, format, __VA_ARGS__)
/**
* Invoke a sefs_fclist_t's callback for a warning, passing it a
* format string and arguments.
*/
#define SEFS_WARN(fclist, format, ...) sefs_fclist_handleMsg(fclist, SEFS_MSG_WARN, format, __VA_ARGS__)
/**
* Invoke a sefs_fclist's callback for an informational message,
* passing it a format string and arguments.
*/
#define SEFS_INFO(fclist, format, ...) sefs_fclist_handleMsg(fclist, SEFS_MSG_INFO, format, __VA_ARGS__)
extern void sefs_fclist_handleMsg(const struct sefs_fclist *fclist, int level, const char *fmt, ...);
__attribute__ ((format(printf, 3, 4))) void sefs_fclist_handleMsg(const struct sefs_fclist *fclist, int level,
const char *fmt, ...);
#ifdef __cplusplus
}
#include <stdexcept>
struct apol_bst;
struct context_node;
#define SEFS_MAP_FUNC_DEFINED
/**
* Function invoked upon each matching file context entry during a query.
*/
typedef int (*sefs_fclist_map_fn_t) (sefs_fclist *, const sefs_entry *, void *);
/**
* An abstract class the represents a list of file contexts. Contexts
* may be read from a filesystem, inferred from a file_contexts file,
* or read from a database.
*/
class sefs_fclist
{
#ifndef SWIG_FRIENDS
friend void sefs_fclist_handleMsg(const sefs_fclist * fclist, int level, const char *fmt, ...);
friend class sefs_entry;
#endif
public:
virtual ~sefs_fclist();
/**
* Perform a sefs query on the given file context list object,
* and then invoke a callback upon each matching entry.
* Mapping occurs in the order of entries as specified by the
* file context list.
* @param query Query object containing search parameters. If
* NULL, invoke the callback on all entries.
* @param fn Function to invoke upon matching entries. This
* function will be called with three parameters: a pointer to
* this fclist, pointer to a matching entry, and an arbitrary
* data pointer. It should return a non-negative value upon
* success, negative value upon error and to abort the
* mapping. Be aware that the entry may go out of scope upon
* conclusion of runQueryMap(), so \a fn will need to clone
* the entry if it needs it later.
* <p>
* <b>This function must not throw any exceptions.</b> Doing
* so will most likely corrupt fclist's internal state.
* Instead, return a negative value to abort processing.
* @param data Arbitrary pointer to be passed into \a fn as a
* third parameter.
* @return Last value returned by fn() (i.e., >= on success, <
* 0 on failure). If the fclist has no entries then return 0.
* @exception std::runtime_error Error while reading contexts
* from the fclist.
* @exception std::invalid_argument One or more query arguments
* is invalid.
*/
virtual int runQueryMap(sefs_query * query, sefs_fclist_map_fn_t fn, void *data) throw(std::runtime_error,
std::invalid_argument) = 0;
/**
* Perform a sefs query on the given file context list object
* and return a list of matching entries.
* @param query Query object containing search parameters. If
* NULL, return all contexts.
* @return A newly allocated unsorted vector (of class
* sefs_entry *) containing all entries matching the query.
* Do not modify the returned entries. Note that the vector
* may be empty. The caller is responsible for calling
* apol_vector_destroy() on the returned vector.
* @exception std::bad_alloc Out of memory.
* @exception std::runtime_error Error while reading contexts
* from the fclist.
* @exception std::invalid_argument One or more query arguments
* is invalid.
*/
apol_vector_t *runQuery(sefs_query * query) throw(std::bad_alloc, std::runtime_error, std::invalid_argument);
/**
* Determine if the contexts in the fclist contain MLS fields.
* @return \a true if MLS fields are present, \a false if not
* or undeterminable.
*/
virtual bool isMLS() const = 0;
/**
* Associate a policy with the fclist. This is needed to
* resolve attributes and MLS ranges in queries. If a policy
* is already associated, then calling this function removes
* that previous association.
* @param policy Policy to associate with \a fclist. If NULL,
* remove any policy association. While \a policy is
* associated with \a fclist the caller should not destroy \a
* policy.
* @see sefs_query_set_type()
* @see sefs_query_set_range()
*/
void associatePolicy(apol_policy_t * new_policy);
/**
* Return the policy currently associated with this fclist.
* Do not destroy the policy without first unassociating it
* (via call to sefs_fclist::associatePolicy(NULL)).
* @return Currently associated policy, or NULL if none is
* set.
*/
apol_policy_t *associatePolicy() const;
/**
* Get the type of fclist object represented by \a fclist.
* @return The type of fclist object or SEFS_FCLIST_TYPE_NONE
* on error.
*/
sefs_fclist_type_e fclist_type() const;
protected:
sefs_fclist(sefs_fclist_type_e type, sefs_callback_fn_t callback, void *varg) throw(std::bad_alloc);
/**
* Given the parts of a context, return a context node (which
* would contain an apol_context_t). If the context already
* exists, then a pointer to the existing one is returned.
*
* @param user User component of the context. The string will
* be duplicated.
* @param role Role component of the context. The string will
* be duplicated.
* @param type Type component of the context. The string will
* be duplicated.
* @param range Range component of the context. The string
* will be duplicated, or NULL if no range exists.
*
* @return A context node. Do not free() it.
*/
struct sefs_context_node *getContext(const char *user, const char *role, const char *type,
const char *range) throw(std::bad_alloc);
/**
* Given a SELinux security context, return a context node
* (which would contain an apol_context_t). If the context
* already exists, then a pointer to the existing one is
* returned.
*
* @param scon Security context from which to obtain a node.
*
* @return A context node. Do not free() it.
*/
struct sefs_context_node *getContext(const security_context_t scon) throw(std::bad_alloc);
apol_policy_t *policy;
struct apol_bst *user_tree, *role_tree, *type_tree, *range_tree, *path_tree;
struct apol_bst *dev_tree;
struct apol_bst *context_tree;
private:
/**
* Write a message to the callback stored within a fclist
* error handler. If the msg_callback field is empty, then
* the default message callback will be used.
* @param level Severity of message, one of SEFS_MSG_*.
* @param fmt Format string to print, using syntax of
* printf(3).
*/
void handleMsg(int level, const char *fmt, va_list va_args) const;
sefs_callback_fn_t _callback;
void *_varg;
sefs_fclist_type_e _fclist_type;
};
extern "C"
{
#endif
//we do not want to wrap two copies of everything so have SWIG ignore
//the compatibility section.
#ifndef SWIG
typedef struct sefs_fclist sefs_fclist_t;
#ifndef SEFS_MAP_FUNC_DEFINED
struct sefs_fclist;
struct sefs_entry;
typedef int (*sefs_fclist_map_fn_t) (struct sefs_fclist *, const struct sefs_entry *, void *);
#endif
/**
* Deallocate all memory associated with the referenced fclist object,
* and then set it to NULL. This function does nothing if the fclist
* object is already NULL.
* @param Reference to a fclist object to destroy.
*/
extern void sefs_fclist_destroy(sefs_fclist_t ** fclist);
/**
* Perform a sefs query on the given file context list object.
* @see sefs_fclist::runQueryMap()
*/
extern int sefs_fclist_run_query_map(sefs_fclist_t * fclist, sefs_query_t * query, sefs_fclist_map_fn_t fn, void *data);
/**
* Perform a sefs query on the given file context list object.
* @see sefs_fclist::runQuery()
*/
extern apol_vector_t *sefs_fclist_run_query(sefs_fclist_t * fclist, sefs_query_t * query);
/**
* Determine if the contexts in the fclist contain MLS fields.
* @see sefs_fclist::isMLS()
*/
extern bool sefs_fclist_get_is_mls(const sefs_fclist_t * fclist);
/**
* Associate a policy with the fclist.
* @see sefs_fclist::associatePolicy()
* @see sefs_query_set_type()
* @see sefs_query_set_range()
*/
extern void sefs_fclist_associate_policy(sefs_fclist_t * fclist, apol_policy_t * policy);
/**
* Get the type of fclist object represented by \a fclist.
* @see sefs_fclist::fclist_type()
*/
extern sefs_fclist_type_e sefs_fclist_get_fclist_type(const sefs_fclist_t * fclist);
#endif /* SWIG */
#ifdef __cplusplus
}
#endif
#endif /* SEFS_FCLIST_H */
|
