1*2d543d20SAndroid Build Coastguard Worker /* Author : Stephen Smalley, <[email protected]> */ 2*2d543d20SAndroid Build Coastguard Worker 3*2d543d20SAndroid Build Coastguard Worker /* FLASK */ 4*2d543d20SAndroid Build Coastguard Worker 5*2d543d20SAndroid Build Coastguard Worker /* 6*2d543d20SAndroid Build Coastguard Worker * A constraint is a condition that must be satisfied in 7*2d543d20SAndroid Build Coastguard Worker * order for one or more permissions to be granted. 8*2d543d20SAndroid Build Coastguard Worker * Constraints are used to impose additional restrictions 9*2d543d20SAndroid Build Coastguard Worker * beyond the type-based rules in `te' or the role-based 10*2d543d20SAndroid Build Coastguard Worker * transition rules in `rbac'. Constraints are typically 11*2d543d20SAndroid Build Coastguard Worker * used to prevent a process from transitioning to a new user 12*2d543d20SAndroid Build Coastguard Worker * identity or role unless it is in a privileged type. 13*2d543d20SAndroid Build Coastguard Worker * Constraints are likewise typically used to prevent a 14*2d543d20SAndroid Build Coastguard Worker * process from labeling an object with a different user 15*2d543d20SAndroid Build Coastguard Worker * identity. 16*2d543d20SAndroid Build Coastguard Worker */ 17*2d543d20SAndroid Build Coastguard Worker 18*2d543d20SAndroid Build Coastguard Worker #ifndef _SEPOL_POLICYDB_CONSTRAINT_H_ 19*2d543d20SAndroid Build Coastguard Worker #define _SEPOL_POLICYDB_CONSTRAINT_H_ 20*2d543d20SAndroid Build Coastguard Worker 21*2d543d20SAndroid Build Coastguard Worker #include <sepol/policydb/ebitmap.h> 22*2d543d20SAndroid Build Coastguard Worker #include <sepol/policydb/flask_types.h> 23*2d543d20SAndroid Build Coastguard Worker 24*2d543d20SAndroid Build Coastguard Worker #ifdef __cplusplus 25*2d543d20SAndroid Build Coastguard Worker extern "C" { 26*2d543d20SAndroid Build Coastguard Worker #endif 27*2d543d20SAndroid Build Coastguard Worker 28*2d543d20SAndroid Build Coastguard Worker #define CEXPR_MAXDEPTH 5 29*2d543d20SAndroid Build Coastguard Worker 30*2d543d20SAndroid Build Coastguard Worker struct type_set; 31*2d543d20SAndroid Build Coastguard Worker 32*2d543d20SAndroid Build Coastguard Worker typedef struct constraint_expr { 33*2d543d20SAndroid Build Coastguard Worker #define CEXPR_NOT 1 /* not expr */ 34*2d543d20SAndroid Build Coastguard Worker #define CEXPR_AND 2 /* expr and expr */ 35*2d543d20SAndroid Build Coastguard Worker #define CEXPR_OR 3 /* expr or expr */ 36*2d543d20SAndroid Build Coastguard Worker #define CEXPR_ATTR 4 /* attr op attr */ 37*2d543d20SAndroid Build Coastguard Worker #define CEXPR_NAMES 5 /* attr op names */ 38*2d543d20SAndroid Build Coastguard Worker uint32_t expr_type; /* expression type */ 39*2d543d20SAndroid Build Coastguard Worker 40*2d543d20SAndroid Build Coastguard Worker #define CEXPR_USER 1 /* user */ 41*2d543d20SAndroid Build Coastguard Worker #define CEXPR_ROLE 2 /* role */ 42*2d543d20SAndroid Build Coastguard Worker #define CEXPR_TYPE 4 /* type */ 43*2d543d20SAndroid Build Coastguard Worker #define CEXPR_TARGET 8 /* target if set, source otherwise */ 44*2d543d20SAndroid Build Coastguard Worker #define CEXPR_XTARGET 16 /* special 3rd target for validatetrans rule */ 45*2d543d20SAndroid Build Coastguard Worker #define CEXPR_L1L2 32 /* low level 1 vs. low level 2 */ 46*2d543d20SAndroid Build Coastguard Worker #define CEXPR_L1H2 64 /* low level 1 vs. high level 2 */ 47*2d543d20SAndroid Build Coastguard Worker #define CEXPR_H1L2 128 /* high level 1 vs. low level 2 */ 48*2d543d20SAndroid Build Coastguard Worker #define CEXPR_H1H2 256 /* high level 1 vs. high level 2 */ 49*2d543d20SAndroid Build Coastguard Worker #define CEXPR_L1H1 512 /* low level 1 vs. high level 1 */ 50*2d543d20SAndroid Build Coastguard Worker #define CEXPR_L2H2 1024 /* low level 2 vs. high level 2 */ 51*2d543d20SAndroid Build Coastguard Worker uint32_t attr; /* attribute */ 52*2d543d20SAndroid Build Coastguard Worker 53*2d543d20SAndroid Build Coastguard Worker #define CEXPR_EQ 1 /* == or eq */ 54*2d543d20SAndroid Build Coastguard Worker #define CEXPR_NEQ 2 /* != */ 55*2d543d20SAndroid Build Coastguard Worker #define CEXPR_DOM 3 /* dom */ 56*2d543d20SAndroid Build Coastguard Worker #define CEXPR_DOMBY 4 /* domby */ 57*2d543d20SAndroid Build Coastguard Worker #define CEXPR_INCOMP 5 /* incomp */ 58*2d543d20SAndroid Build Coastguard Worker uint32_t op; /* operator */ 59*2d543d20SAndroid Build Coastguard Worker 60*2d543d20SAndroid Build Coastguard Worker ebitmap_t names; /* names */ 61*2d543d20SAndroid Build Coastguard Worker struct type_set *type_names; 62*2d543d20SAndroid Build Coastguard Worker 63*2d543d20SAndroid Build Coastguard Worker struct constraint_expr *next; /* next expression */ 64*2d543d20SAndroid Build Coastguard Worker } constraint_expr_t; 65*2d543d20SAndroid Build Coastguard Worker 66*2d543d20SAndroid Build Coastguard Worker typedef struct constraint_node { 67*2d543d20SAndroid Build Coastguard Worker sepol_access_vector_t permissions; /* constrained permissions */ 68*2d543d20SAndroid Build Coastguard Worker constraint_expr_t *expr; /* constraint on permissions */ 69*2d543d20SAndroid Build Coastguard Worker struct constraint_node *next; /* next constraint */ 70*2d543d20SAndroid Build Coastguard Worker } constraint_node_t; 71*2d543d20SAndroid Build Coastguard Worker 72*2d543d20SAndroid Build Coastguard Worker extern int constraint_expr_init(constraint_expr_t * expr); 73*2d543d20SAndroid Build Coastguard Worker extern void constraint_expr_destroy(constraint_expr_t * expr); 74*2d543d20SAndroid Build Coastguard Worker 75*2d543d20SAndroid Build Coastguard Worker #ifdef __cplusplus 76*2d543d20SAndroid Build Coastguard Worker } 77*2d543d20SAndroid Build Coastguard Worker #endif 78*2d543d20SAndroid Build Coastguard Worker 79*2d543d20SAndroid Build Coastguard Worker #endif /* _CONSTRAINT_H_ */ 80*2d543d20SAndroid Build Coastguard Worker 81*2d543d20SAndroid Build Coastguard Worker /* FLASK */ 82