1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
|
/**
* @file
* Defines the public interface for file context queries.
*
* @author Jeremy A. Mowery jmowery@tresys.com
* @author Jason Tang jtang@tresys.com
*
* Copyright (C) 2007 Tresys Technology, LLC
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#ifndef SEFS_QUERY_H
#define SEFS_QUERY_H
#ifdef __cplusplus
extern "C"
{
#endif
#include <sys/types.h>
#include <regex.h>
#ifndef __cplusplus
#include <stdbool.h>
#endif
#include <apol/context-query.h>
#include <apol/mls-query.h>
#include <apol/policy-query.h>
#include <apol/vector.h>
#ifdef __cplusplus
}
#include <stdexcept>
/**
* This class represents a query into a (subclass of) fclist. Create
* a query, fill in all accessors are needed, and then run the query.
* All fields must match for an entry to be returned. Where a fclist
* does not support a particular criterion (e.g., inode numbers for
* fcfile) that portion of the query is considered to be matching.
*/
class sefs_query
{
friend class sefs_db;
friend class sefs_fcfile;
friend class sefs_filesystem;
public:
/**
* Allocate and return a new sefs query structure. All fields
* are initialized, such that running this blank query results
* in returning all entries within a fclist.
*/
sefs_query();
~sefs_query();
/**
* Set a sefs query to match only entries with contexts with
* the user \a name.
* @param name Limit query to only contexts with this user, or
* NULL to clear this field. The string will be duplicated.
* @exception std::bad_alloc Out of memory.
*/
void user(const char *name) throw(std::bad_alloc);
/**
* Set a sefs query to match only entries with contexts with
* the role \a name.
* @param name Limit query to only contexts with this role, or
* NULL to clear this field. The string will be duplicated.
* @exception std::bad_alloc Out of memory.
*/
void role(const char *name) throw(std::bad_alloc);
/**
* Set a sefs query to match only entries with contexts with
* the type \a name.
* @param name Limit query to only contexts with this type, or
* NULL to clear this field. The string will be duplicated.
* @param indirect If true and if the fclist queried has
* access to a policy, also match contexts with types in
* attribute \a name or types which are an alias for \a name.
* If a policy is not available, this field is ignored, and
* exact string matching is used instead. This paramater is
* ignored if \a name is NULL.
* @exception std::bad_alloc Out of memory.
* @see sefs_fclist::associatePolicy() to associate a policy
* with a fclist.
*/
void type(const char *name, bool indirect) throw(std::bad_alloc);
/**
* Set a sefs query to match only entries with contexts with a
* range of \a range. If the fclist is not MLS then \a name
* and \a match will be ignored.
* @param name Limit query to only contexts matching this
* string representing the MLS range, or NULL to clear this
* field. The string will be duplicated.
* @param match If non-zero and the fclist queried has access
* to a policy, match the range using the specified semantics;
* this should be one of APOL_QUERY_SUB, APOL_QUERY_SUPER, or
* APOL_QUERY_EXACT. (The range string will be converted
* automatically into an apol_mls_range_t object.) If a
* policy is not available or \a match is zero, exact string
* matching is used instead. Note, if a policy is available
* the regex flag is ignored if \a match is non-zero. This
* parameter is ignored if \a range is NULL.
* @exception std::bad_alloc Out of memory.
* @see sefs_fclist::associatePolicy() to associate a policy
* with a fclist.
*/
void range(const char *name, int match) throw(std::bad_alloc);
/**
* Set a sefs query to match only entries with object class \a
* objclass.
*
* <em>Note:</em> If the query is run against a fcfile, then
* entries without explicit object classes (i.e., no explicit
* <tt>--</tt>, <tt>-d</tt>, etc.) will always match
* irrespective of the query's object class field.
*
* @param Numeric identifier for an objclass, one of
* QPOL_CLASS_FILE, QPOL_CLASS_DIR, etc., as defined in
* <qpol/genfscon_query.h>. Use QPOL_CLASS_ALL to match all
* object classes.
*/
void objectClass(uint32_t objclass);
/**
* Set a sefs query to match only entries with object class \a
* name. The \a name parameter is not affected by regex().
*
* @param name Limit query to only entries with this object
* class, or NULL to clear this field. The incoming string
* must be legal according to apol_str_to_objclass().
*
* @see objectClass(uint32_t) for note about fcfiles.
*/
void objectClass(const char *name);
/**
* Set a sefs query to match only entries with path \a path.
*
* <em>Note:</em> If the query is run against a fcfile, the
* behavior of matching paths is slightly different. For each
* of fcfile's entries, that entry's regular expression is
* matched against \a path. This is the reverse for other
* types of fclist, where \a path matches an entry's path if
* \a path is a substring. (If sefs_query::regex() is set to
* true, \a path is instead treated as a regular expression.)
*
* @param str Limit query to only entries containing this
* path, or NULL to clear this field. The string will be
* duplicated.
* @exception std::bad_alloc Out of memory.
*/
void path(const char *str) throw(std::bad_alloc);
/**
* Set a sefs query to match only entries with a given inode
* number.
* @param ino Limit query to only entries with this inode
* number, or 0 to clear this field.
*/
void inode(ino64_t ino);
/**
* Set a sefs query to match only entries with a given device
* name.
* @param str Limit query to only entries with this device
* name, or NULL to clear this string. The string will be
* duplicated.
* @exception std::bad_alloc Out of memory.
* @see sefs_filesystem::getDevName() to convert between dev_t
* and a name.
*/
void dev(const char *str) throw(std::bad_alloc);
/**
* Set a sefs query to use regular expression matching for
* string fields.
* @param r If true then use regular expression matching;
* otherwise use only exact string matching.
*/
void regex(bool r);
private:
/**
* Compile the regular expressions stored within this query
* object. It is safe to call this function multiple times.
*
* @exception std::bad_alloc Out of memory.
* @exception std::invalid_argument One or more invalid regular
* expressions is invalid.
*/
void compile() throw(std::bad_alloc, std::invalid_argument);
char *_user, *_role, *_type, *_range, *_path, *_dev;
uint32_t _objclass;
bool _indirect, _regex, _recursive;
int _rangeMatch;
ino64_t _inode;
bool _recompiled;
regex_t *_reuser, *_rerole, *_retype, *_rerange, *_repath, *_redev;
};
extern "C"
{
#endif
//we do not want to wrap two copies of everything so have SWIG ignore
//the compatibility section.
#ifndef SWIG
typedef struct sefs_query sefs_query_t;
/**
* Allocate and return a new sefs query structure.
* @see sefs_query::sefs_query()
*/
extern sefs_query_t *sefs_query_create();
/**
* Deallocate all memory associated with the referenced sefs query,
* and then set it to NULL. This function does nothing if the query
* is already NULL.
* @param query Reference to a sefs query structure to destroy.
*/
extern void sefs_query_destroy(sefs_query_t ** query);
/**
* Set a sefs query to match only entries with contexts with the user
* \a name.
* @see sefs_query::user()
*/
extern int sefs_query_set_user(sefs_query_t * query, const char *name);
/**
* Set a sefs query to match only entries with contexts with the role
* \a name.
* @see sefs_query::role()
*/
extern int sefs_query_set_role(sefs_query_t * query, const char *name);
/**
* Set a sefs query to match only entries with contexts with the type
* \a name.
* @see sefs_query::type()
* @see sefs_fclist_associate_policy() to associate a policy with a
* fclist.
*/
extern int sefs_query_set_type(sefs_query_t * query, const char *name, bool indirect);
/**
* Set a sefs query to match only entries with contexts with a range
* of \a range.
* @see sefs_query::range()
* @see sefs_fclist_associate_policy() to associate a policy with a
* fclist.
*/
extern int sefs_query_set_range(sefs_query_t * query, const char *range, int match);
/**
* Set a sefs query to match only entries with object class \a
* objclass.
* @return Always 0.
* @see sefs_query::objectClass(uint32_t)
*/
extern int sefs_query_set_object_class(sefs_query_t * query, uint32_t objclass);
/**
* Set a sefs query to match only entries with object class \a name.
* @return Always 0.
* @see sefs_query::objectClass(const char *)
*/
extern int sefs_query_set_object_class_str(sefs_query_t * query, const char *name);
/**
* Set a sefs query to match only entries with path \a path.
* @see sefs_query::path()
*/
extern int sefs_query_set_path(sefs_query_t * query, const char *path);
/**
* Set a sefs query to match only entries with a given inode number.
* @return Always 0.
* @see sefs_query::inode()
*/
extern int sefs_query_set_inode(sefs_query_t * query, ino64_t inode);
/**
* Set a sefs query to match only entries with a given device number.
* @see sefs_query::dev()
*/
extern int sefs_query_set_dev(sefs_query_t * query, const char *dev);
/**
* Set a sefs query to use regular expression matching for string
* fields.
* @return Always 0.
* @see sefs_query::regex()
*/
extern int sefs_query_set_regex(sefs_query_t * query, bool regex);
#endif /* SWIG */
#ifdef __cplusplus
}
#endif
#endif /* SEFS_QUERY_H */
|
