platform_external_selinux/checkpolicy/policy_define.h

/* Functions used to define policy grammar components. */

#ifndef _POLICY_DEFINE_H_
#define _POLICY_DEFINE_H_

/* 
 * We need the following so we have a valid error return code in yacc
 * when we have a parse error for a conditional rule.  We can't check 
 * for NULL (ie 0) because that is a potentially valid return.
 */
#define COND_ERR ((avrule_t *)-1)
#define TRUE 1
#define FALSE 0

avrule_t *define_cond_compute_type(int which);
avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt);
avrule_t *define_cond_te_avtab(int which);
avrule_t *define_cond_filename_trans(void);
cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void* arg2);
int define_attrib(void);
int define_attrib_role(void);
int define_av_perms(int inherits);
int define_bool_tunable(int is_tunable);
int define_category(void);
int define_class(void);
int define_default_user(int which);
int define_default_role(int which);
int define_default_type(int which);
int define_default_range(int which);
int define_common_perms(void);
int define_compute_type(int which);
int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list );
int define_constraint(constraint_expr_t *expr);
int define_dominance(void);
int define_fs_context(unsigned int major, unsigned int minor);
int define_fs_use(int behavior);
int define_genfs_context(int has_type);
int define_initial_sid_context(void);
int define_initial_sid(void);
int define_ipv4_node_context(void);
int define_ipv6_node_context(void);
int define_level(void);
int define_netif_context(void);
int define_permissive(void);
int define_polcap(void);
int define_ibpkey_context(unsigned int low, unsigned int high);
int define_ibendport_context(unsigned int port);
int define_port_context(unsigned int low, unsigned int high);
int define_pirq_context(unsigned int pirq);
int define_iomem_context(uint64_t low, uint64_t high);
int define_ioport_context(unsigned long low, unsigned long high);
int define_pcidevice_context(unsigned long device);
int define_devicetree_context(void);
int define_range_trans(int class_specified);
int define_role_allow(void);
int define_role_trans(int class_specified);
int define_role_types(void);
int define_role_attr(void);
int define_roleattribute(void);
int define_filename_trans(void);
int define_sens(void);
int define_te_avtab(int which);
int define_te_avtab_extended_perms(int which);
int define_typealias(void);
int define_typeattribute(void);
int define_typebounds(void);
int define_type(int alias);
int define_user(void);
int define_validatetrans(constraint_expr_t *expr);
int expand_attrib(void);
int insert_id(const char *id,int push);
int insert_separator(int push);
role_datum_t *define_role_dom(role_datum_t *r);
role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2);
uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2);

#endif /* _POLICY_DEFINE_H_ */
initial import from svn trunk revision 2950 2008-08-19 21:30:36 +02:00			`/* Functions used to define policy grammar components. */`

			`#ifndef _POLICY_DEFINE_H_`
			`#define _POLICY_DEFINE_H_`

			`/*`
			`* We need the following so we have a valid error return code in yacc`
			`* when we have a parse error for a conditional rule. We can't check`
			`* for NULL (ie 0) because that is a potentially valid return.`
			`*/`
			`#define COND_ERR ((avrule_t *)-1)`
			`#define TRUE 1`
			`#define FALSE 0`

			`avrule_t *define_cond_compute_type(int which);`
			`avrule_t define_cond_pol_list(avrule_t avlist, avrule_t *stmt);`
			`avrule_t *define_cond_te_avtab(int which);`
checkpolicy: add support for using last path component in type transition rules This patch adds support for using the last path component as part of the information in making labeling decisions for new objects. A example rule looks like so: type_transition unconfined_t etc_t:file system_conf_t eric; This rule says if unconfined_t creates a file in a directory labeled etc_t and the last path component is "eric" (no globbing, no matching magic, just exact strcmp) it should be labeled system_conf_t. The kernel and policy representation does not have support for such rules in conditionals, and thus policy explicitly notes that fact if such a rule is added to a conditional. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com> 2011-03-28 20:00:19 +02:00			`avrule_t *define_cond_filename_trans(void);`
initial import from svn trunk revision 2950 2008-08-19 21:30:36 +02:00			`cond_expr_t define_cond_expr(uint32_t expr_type, void arg1, void* arg2);`
			`int define_attrib(void);`
Add role attribute support when compiling modules. 1. Add a uint32_t "flavor" field and an ebitmap "roles" to the role_datum_t structure; 2. Add a new "attribute_role" statement and its handler to declare a role attribute; 3. Modify declare_role() to setup role_datum_t.flavor according to the isattr argument; 4. Add a new "roleattribute" rule and its handler, which will record the regular role's (policy value - 1) into the role attribute's role_datum_t.roles ebitmap; 5. Modify the syntax for the role-types rule only to define the role-type associations; 6. Add a new role-attr rule to support the declaration of a single role, and optionally the role attribute that the role belongs to; 7. Check if the new_role used in role-transition rule is a regular role; 8. Support to require a role attribute; 9. Modify symtab_insert() to allow multiple declarations only for the regular role, while a role attribute can't be declared more than once and can't share a same name with another regular role. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com> 2011-07-25 03:23:54 +02:00			`int define_attrib_role(void);`
initial import from svn trunk revision 2950 2008-08-19 21:30:36 +02:00			`int define_av_perms(int inherits);`
checkpolicy: Separate tunable from boolean during compile. Both boolean and tunable keywords are processed by define_bool_tunable(), argument 0 and 1 would be passed for boolean and tunable respectively. For tunable, a TUNABLE flag would be set in cond_bool_datum_t.flags. Note, when creating an if-else conditional we can not know if the tunable identifier is indeed a tunable(for example, a boolean may be misused in tunable_policy() or vice versa), thus the TUNABLE flag for cond_node_t would be calculated and used in expansion when all booleans/tunables copied during link. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> 2011-09-01 05:29:41 +02:00			`int define_bool_tunable(int is_tunable);`
initial import from svn trunk revision 2950 2008-08-19 21:30:36 +02:00			`int define_category(void);`
			`int define_class(void);`
libsepol: checkpolicy: implement new default labeling behaviors We would like to be able to say that the user, role, or range of a newly created object should be based on the user, role, or range of either the source or the target of the creation operation. aka, for a new file this could be the user of the creating process or the user or the parent directory. This patch implements the new language and the policydb support to give this information to the kernel. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> 2011-12-05 19:28:51 +01:00			`int define_default_user(int which);`
			`int define_default_role(int which);`
checkpolicy: libsepol: implement default type policy syntax We currently have a mechanism in which the default user, role, and range can be picked up from the source or the target object. This implements the same thing for types. The kernel will override this with type transition rules and similar. This is just the default if nothing specific is given. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> 2012-12-18 17:41:25 +01:00			`int define_default_type(int which);`
libsepol: checkpolicy: implement new default labeling behaviors We would like to be able to say that the user, role, or range of a newly created object should be based on the user, role, or range of either the source or the target of the creation operation. aka, for a new file this could be the user of the creating process or the user or the parent directory. This patch implements the new language and the policydb support to give this information to the kernel. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> 2011-12-05 19:28:51 +01:00			`int define_default_range(int which);`
initial import from svn trunk revision 2950 2008-08-19 21:30:36 +02:00			`int define_common_perms(void);`
			`int define_compute_type(int which);`
			`int define_conditional(cond_expr_t expr, avrule_t t_list, avrule_t *f_list );`
			`int define_constraint(constraint_expr_t *expr);`
			`int define_dominance(void);`
			`int define_fs_context(unsigned int major, unsigned int minor);`
			`int define_fs_use(int behavior);`
			`int define_genfs_context(int has_type);`
			`int define_initial_sid_context(void);`
			`int define_initial_sid(void);`
			`int define_ipv4_node_context(void);`
			`int define_ipv6_node_context(void);`
			`int define_level(void);`
			`int define_netif_context(void);`
			`int define_permissive(void);`
			`int define_polcap(void);`
checkpolicy: Add support for ibpkeycon labels Add checkpolicy support for scanning and parsing ibpkeycon labels. Also create a new ocontext for Infiniband Pkeys and define a new policydb version for infiniband support. Signed-off-by: Daniel Jurgens <danielj@mellanox.com> 2017-05-22 15:08:23 +02:00			`int define_ibpkey_context(unsigned int low, unsigned int high);`
checkpolicy: Add support for ibendportcon labels Add checkpolicy support for scanning and parsing ibendportcon labels. Also create a new ocontext for IB end ports. Signed-off-by: Daniel Jurgens <danielj@mellanox.com> 2017-05-22 15:08:26 +02:00			`int define_ibendport_context(unsigned int port);`
initial import from svn trunk revision 2950 2008-08-19 21:30:36 +02:00			`int define_port_context(unsigned int low, unsigned int high);`
checkpolicy: Add support for multiple target OSes Updated patch of checkpolicy based on input. On Tue, 2009-09-15 at 12:37 -0400, pjnuzzi wrote: > Add support for multiple target OSes by adding the -t target option to > checkpolicy. Implemented the new Xen ocontext identifiers pirqcon, > pcidevicecon, iomemcon and ioportcon. > > Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> > > --- checkpolicy/checkpolicy.c \| 20 ++- checkpolicy/policy_define.c \| 272 ++++++++++++++++++++++++++++++++++++++++++++ checkpolicy/policy_define.h \| 4 checkpolicy/policy_parse.y \| 29 ++++ checkpolicy/policy_scan.l \| 10 + 5 files changed, 330 insertions(+), 5 deletions(-) Signed-off-by: Joshua Brindle <method@manicmethod.com> 2009-09-29 16:06:26 +02:00			`int define_pirq_context(unsigned int pirq);`
libsepol, checkpolicy: widen Xen IOMEM ocontext entries This expands IOMEMCON device context entries to 64 bits. This change is required to support static I/O memory range labeling for systems with over 16TB of physical address space. The policy version number change is shared with the next patch. While this makes no changes to SELinux policy, a new SELinux policy compatibility entry was added in order to avoid breaking compilation of an SELinux policy without explicitly specifying the policy version. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> 2015-03-17 21:43:23 +01:00			`int define_iomem_context(uint64_t low, uint64_t high);`
checkpolicy: Add support for multiple target OSes Updated patch of checkpolicy based on input. On Tue, 2009-09-15 at 12:37 -0400, pjnuzzi wrote: > Add support for multiple target OSes by adding the -t target option to > checkpolicy. Implemented the new Xen ocontext identifiers pirqcon, > pcidevicecon, iomemcon and ioportcon. > > Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> > > --- checkpolicy/checkpolicy.c \| 20 ++- checkpolicy/policy_define.c \| 272 ++++++++++++++++++++++++++++++++++++++++++++ checkpolicy/policy_define.h \| 4 checkpolicy/policy_parse.y \| 29 ++++ checkpolicy/policy_scan.l \| 10 + 5 files changed, 330 insertions(+), 5 deletions(-) Signed-off-by: Joshua Brindle <method@manicmethod.com> 2009-09-29 16:06:26 +02:00			`int define_ioport_context(unsigned long low, unsigned long high);`
			`int define_pcidevice_context(unsigned long device);`
libsepol, checkpolicy: add device tree ocontext nodes to Xen policy In Xen on ARM, device tree nodes identified by a path (string) need to be labeled by the security policy. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> 2015-03-17 21:43:24 +01:00			`int define_devicetree_context(void);`
initial import from svn trunk revision 2950 2008-08-19 21:30:36 +02:00			`int define_range_trans(int class_specified);`
			`int define_role_allow(void);`
Userspace: role_transition parser to handle class field Handle the class field in the role_transition rule. If no class is specified, then it would be set to the "process" class by default. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com> 2011-03-25 06:51:59 +01:00			`int define_role_trans(int class_specified);`
initial import from svn trunk revision 2950 2008-08-19 21:30:36 +02:00			`int define_role_types(void);`
Add role attribute support when compiling modules. 1. Add a uint32_t "flavor" field and an ebitmap "roles" to the role_datum_t structure; 2. Add a new "attribute_role" statement and its handler to declare a role attribute; 3. Modify declare_role() to setup role_datum_t.flavor according to the isattr argument; 4. Add a new "roleattribute" rule and its handler, which will record the regular role's (policy value - 1) into the role attribute's role_datum_t.roles ebitmap; 5. Modify the syntax for the role-types rule only to define the role-type associations; 6. Add a new role-attr rule to support the declaration of a single role, and optionally the role attribute that the role belongs to; 7. Check if the new_role used in role-transition rule is a regular role; 8. Support to require a role attribute; 9. Modify symtab_insert() to allow multiple declarations only for the regular role, while a role attribute can't be declared more than once and can't share a same name with another regular role. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com> 2011-07-25 03:23:54 +02:00			`int define_role_attr(void);`
			`int define_roleattribute(void);`
checkpolicy: add support for using last path component in type transition rules This patch adds support for using the last path component as part of the information in making labeling decisions for new objects. A example rule looks like so: type_transition unconfined_t etc_t:file system_conf_t eric; This rule says if unconfined_t creates a file in a directory labeled etc_t and the last path component is "eric" (no globbing, no matching magic, just exact strcmp) it should be labeled system_conf_t. The kernel and policy representation does not have support for such rules in conditionals, and thus policy explicitly notes that fact if such a rule is added to a conditional. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com> 2011-03-28 20:00:19 +02:00			`int define_filename_trans(void);`
initial import from svn trunk revision 2950 2008-08-19 21:30:36 +02:00			`int define_sens(void);`
			`int define_te_avtab(int which);`
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com> 2015-06-12 18:01:12 +02:00			`int define_te_avtab_extended_perms(int which);`
initial import from svn trunk revision 2950 2008-08-19 21:30:36 +02:00			`int define_typealias(void);`
			`int define_typeattribute(void);`
Author: KaiGai Kohei Email: kaigai@ak.jp.nec.com Subject: Thread/Child-Domain Assignment (rev.2) Date: Tue, 05 Aug 2008 14:55:52 +0900 [2/3] thread-context-checkpolicy.2.patch It enables to support TYPEBOUNDS statement and to expand existing hierarchies implicitly. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> -- module_compiler.c \| 86 +++++++++++++++++++++++++++++++++++++++++++++++++ policy_define.c \| 93 +++++++++++++++++++++++++++++++++++++++++++++++++++++- policy_define.h \| 1 policy_parse.y \| 5 ++ policy_scan.l \| 2 + 5 files changed, 186 insertions(+), 1 deletion(-) Signed-off-by: Joshua Brindle <method@manicmethod.com> 2008-10-08 12:56:51 +02:00			`int define_typebounds(void);`
initial import from svn trunk revision 2950 2008-08-19 21:30:36 +02:00			`int define_type(int alias);`
			`int define_user(void);`
			`int define_validatetrans(constraint_expr_t *expr);`
Add attribute expansion options This commit adds attribute expansion statements to the policy language allowing compiler defaults to be overridden. Always expands an attribute example: expandattribute { foo } true; CIL example: (expandtypeattribute (foo) true) Never expand an attribute example: expandattribute { bar } false; CIL example: (expandtypeattribute (bar) false) Adding the annotations directly to policy was chosen over other methods as it is consistent with how targeted runtime optimizations are specified in other languages. For example, in C the "inline" command. Motivation expandattribute true: Android has been moving away from a monolithic policy binary to a two part split policy representing the Android platform and the underlying vendor-provided hardware interface. The goal is a stable API allowing these two parts to be updated independently of each other. Attributes provide an important mechanism for compatibility. For example, when the vendor provides a HAL for the platform, permissions needed by clients of the HAL can be granted to an attribute. Clients need only be assigned the attribute and do not need to be aware of the underlying types and permissions being granted. Inheriting permissions via attribute creates a convenient mechanism for independence between vendor and platform policy, but results in the creation of many attributes, and the potential for performance issues when processes are clients of many HALs. [1] Annotating these attributes for expansion at compile time allows us to retain the compatibility benefits of using attributes without the performance costs. [2] expandattribute false: Commit 0be23c3f15fd added the capability to aggresively remove unused attributes. This is generally useful as too many attributes assigned to a type results in lengthy policy look up times when there is a cache miss. However, removing attributes can also result in loss of information used in external tests. On Android, we're considering stripping neverallow rules from on-device policy. This is consistent with the kernel policy binary which also did not contain neverallows. Removing neverallow rules results in a 5-10% decrease in on-device policy build and load and a policy size decrease of ~250k. Neverallow rules are still asserted at build time and during device certification (CTS). If neverallow rules are absent when secilc is run, some attributes are being stripped from policy and neverallow tests in CTS may be violated. [3] This change retains the aggressive attribute stripping behavior but adds an override mechanism to preserve attributes marked as necessary. [1] https://github.com/SELinuxProject/cil/issues/9 [2] Annotating all HAL client attributes for expansion resulted in system_server's dropping from 19 attributes to 8. Because these attributes were not widely applied to other types, the final policy size change was negligible. [3] data_file_type and service_manager_type are stripped from AOSP policy when using secilc's -G option. This impacts 11 neverallow tests in CTS. Test: Build and boot Marlin with all hal_*_client attributes marked for expansion. Verify (using seinfo and sesearch) that permissions are correctly expanded from attributes to types. Test: Mark types being stripped by secilc with "preserve" and verify that they are retained in policy and applied to the same types. Signed-off-by: Jeff Vander Stoep <jeffv@google.com> 2017-05-04 23:36:49 +02:00			`int expand_attrib(void);`
checkpolicy: fix most gcc -Wwrite-strings warnings Acked-by: Steve Lawrence <slawrence@tresys.com> 2014-09-14 23:41:46 +02:00			`int insert_id(const char *id,int push);`
initial import from svn trunk revision 2950 2008-08-19 21:30:36 +02:00			`int insert_separator(int push);`
			`role_datum_t define_role_dom(role_datum_t r);`
			`role_datum_t merge_roles_dom(role_datum_t r1,role_datum_t *r2);`
			`uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2);`

			`#endif /* _POLICY_DEFINE_H_ */`