1*2d543d20SAndroid Build Coastguard Worker /* Author : Stephen Smalley, <[email protected]> */ 2*2d543d20SAndroid Build Coastguard Worker 3*2d543d20SAndroid Build Coastguard Worker /* 4*2d543d20SAndroid Build Coastguard Worker * Updated: Joshua Brindle <[email protected]> 5*2d543d20SAndroid Build Coastguard Worker * Karl MacMillan <[email protected]> 6*2d543d20SAndroid Build Coastguard Worker * Jason Tang <[email protected]> 7*2d543d20SAndroid Build Coastguard Worker * 8*2d543d20SAndroid Build Coastguard Worker * Module support 9*2d543d20SAndroid Build Coastguard Worker * 10*2d543d20SAndroid Build Coastguard Worker * Updated: Trusted Computer Solutions, Inc. <[email protected]> 11*2d543d20SAndroid Build Coastguard Worker * 12*2d543d20SAndroid Build Coastguard Worker * Support for enhanced MLS infrastructure. 13*2d543d20SAndroid Build Coastguard Worker * 14*2d543d20SAndroid Build Coastguard Worker * Updated: Frank Mayer <[email protected]> and Karl MacMillan <[email protected]> 15*2d543d20SAndroid Build Coastguard Worker * 16*2d543d20SAndroid Build Coastguard Worker * Added conditional policy language extensions 17*2d543d20SAndroid Build Coastguard Worker * 18*2d543d20SAndroid Build Coastguard Worker * Updated: Red Hat, Inc. James Morris <[email protected]> 19*2d543d20SAndroid Build Coastguard Worker * 20*2d543d20SAndroid Build Coastguard Worker * Fine-grained netlink support 21*2d543d20SAndroid Build Coastguard Worker * IPv6 support 22*2d543d20SAndroid Build Coastguard Worker * Code cleanup 23*2d543d20SAndroid Build Coastguard Worker * 24*2d543d20SAndroid Build Coastguard Worker * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 25*2d543d20SAndroid Build Coastguard Worker * Copyright (C) 2003 - 2004 Tresys Technology, LLC 26*2d543d20SAndroid Build Coastguard Worker * Copyright (C) 2003 - 2004 Red Hat, Inc. 27*2d543d20SAndroid Build Coastguard Worker * Copyright (C) 2017 Mellanox Techonolgies Inc. 28*2d543d20SAndroid Build Coastguard Worker * 29*2d543d20SAndroid Build Coastguard Worker * This library is free software; you can redistribute it and/or 30*2d543d20SAndroid Build Coastguard Worker * modify it under the terms of the GNU Lesser General Public 31*2d543d20SAndroid Build Coastguard Worker * License as published by the Free Software Foundation; either 32*2d543d20SAndroid Build Coastguard Worker * version 2.1 of the License, or (at your option) any later version. 33*2d543d20SAndroid Build Coastguard Worker * 34*2d543d20SAndroid Build Coastguard Worker * This library is distributed in the hope that it will be useful, 35*2d543d20SAndroid Build Coastguard Worker * but WITHOUT ANY WARRANTY; without even the implied warranty of 36*2d543d20SAndroid Build Coastguard Worker * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 37*2d543d20SAndroid Build Coastguard Worker * Lesser General Public License for more details. 38*2d543d20SAndroid Build Coastguard Worker * 39*2d543d20SAndroid Build Coastguard Worker * You should have received a copy of the GNU Lesser General Public 40*2d543d20SAndroid Build Coastguard Worker * License along with this library; if not, write to the Free Software 41*2d543d20SAndroid Build Coastguard Worker * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 42*2d543d20SAndroid Build Coastguard Worker */ 43*2d543d20SAndroid Build Coastguard Worker 44*2d543d20SAndroid Build Coastguard Worker /* FLASK */ 45*2d543d20SAndroid Build Coastguard Worker 46*2d543d20SAndroid Build Coastguard Worker /* 47*2d543d20SAndroid Build Coastguard Worker * A policy database (policydb) specifies the 48*2d543d20SAndroid Build Coastguard Worker * configuration data for the security policy. 49*2d543d20SAndroid Build Coastguard Worker */ 50*2d543d20SAndroid Build Coastguard Worker 51*2d543d20SAndroid Build Coastguard Worker #ifndef _SEPOL_POLICYDB_POLICYDB_H_ 52*2d543d20SAndroid Build Coastguard Worker #define _SEPOL_POLICYDB_POLICYDB_H_ 53*2d543d20SAndroid Build Coastguard Worker 54*2d543d20SAndroid Build Coastguard Worker #include <stdio.h> 55*2d543d20SAndroid Build Coastguard Worker #include <stddef.h> 56*2d543d20SAndroid Build Coastguard Worker 57*2d543d20SAndroid Build Coastguard Worker #include <sepol/policydb.h> 58*2d543d20SAndroid Build Coastguard Worker 59*2d543d20SAndroid Build Coastguard Worker #include <sepol/policydb/flask_types.h> 60*2d543d20SAndroid Build Coastguard Worker #include <sepol/policydb/symtab.h> 61*2d543d20SAndroid Build Coastguard Worker #include <sepol/policydb/avtab.h> 62*2d543d20SAndroid Build Coastguard Worker #include <sepol/policydb/context.h> 63*2d543d20SAndroid Build Coastguard Worker #include <sepol/policydb/constraint.h> 64*2d543d20SAndroid Build Coastguard Worker #include <sepol/policydb/sidtab.h> 65*2d543d20SAndroid Build Coastguard Worker 66*2d543d20SAndroid Build Coastguard Worker #define ERRMSG_LEN 1024 67*2d543d20SAndroid Build Coastguard Worker 68*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_SUCCESS 0 69*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_ERROR -1 70*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_UNSUPPORTED -2 71*2d543d20SAndroid Build Coastguard Worker 72*2d543d20SAndroid Build Coastguard Worker #ifdef __cplusplus 73*2d543d20SAndroid Build Coastguard Worker extern "C" { 74*2d543d20SAndroid Build Coastguard Worker #endif 75*2d543d20SAndroid Build Coastguard Worker 76*2d543d20SAndroid Build Coastguard Worker #define IB_DEVICE_NAME_MAX 64 77*2d543d20SAndroid Build Coastguard Worker 78*2d543d20SAndroid Build Coastguard Worker /* 79*2d543d20SAndroid Build Coastguard Worker * A datum type is defined for each kind of symbol 80*2d543d20SAndroid Build Coastguard Worker * in the configuration data: individual permissions, 81*2d543d20SAndroid Build Coastguard Worker * common prefixes for access vectors, classes, 82*2d543d20SAndroid Build Coastguard Worker * users, roles, types, sensitivities, categories, etc. 83*2d543d20SAndroid Build Coastguard Worker */ 84*2d543d20SAndroid Build Coastguard Worker 85*2d543d20SAndroid Build Coastguard Worker /* type set preserves data needed by modules such as *, ~ and attributes */ 86*2d543d20SAndroid Build Coastguard Worker typedef struct type_set { 87*2d543d20SAndroid Build Coastguard Worker ebitmap_t types; 88*2d543d20SAndroid Build Coastguard Worker ebitmap_t negset; 89*2d543d20SAndroid Build Coastguard Worker #define TYPE_STAR 1 90*2d543d20SAndroid Build Coastguard Worker #define TYPE_COMP 2 91*2d543d20SAndroid Build Coastguard Worker uint32_t flags; 92*2d543d20SAndroid Build Coastguard Worker } type_set_t; 93*2d543d20SAndroid Build Coastguard Worker 94*2d543d20SAndroid Build Coastguard Worker typedef struct role_set { 95*2d543d20SAndroid Build Coastguard Worker ebitmap_t roles; 96*2d543d20SAndroid Build Coastguard Worker #define ROLE_STAR 1 97*2d543d20SAndroid Build Coastguard Worker #define ROLE_COMP 2 98*2d543d20SAndroid Build Coastguard Worker uint32_t flags; 99*2d543d20SAndroid Build Coastguard Worker } role_set_t; 100*2d543d20SAndroid Build Coastguard Worker 101*2d543d20SAndroid Build Coastguard Worker /* Permission attributes */ 102*2d543d20SAndroid Build Coastguard Worker typedef struct perm_datum { 103*2d543d20SAndroid Build Coastguard Worker symtab_datum_t s; 104*2d543d20SAndroid Build Coastguard Worker } perm_datum_t; 105*2d543d20SAndroid Build Coastguard Worker 106*2d543d20SAndroid Build Coastguard Worker /* Attributes of a common prefix for access vectors */ 107*2d543d20SAndroid Build Coastguard Worker typedef struct common_datum { 108*2d543d20SAndroid Build Coastguard Worker symtab_datum_t s; 109*2d543d20SAndroid Build Coastguard Worker symtab_t permissions; /* common permissions */ 110*2d543d20SAndroid Build Coastguard Worker } common_datum_t; 111*2d543d20SAndroid Build Coastguard Worker 112*2d543d20SAndroid Build Coastguard Worker /* Class attributes */ 113*2d543d20SAndroid Build Coastguard Worker typedef struct class_datum { 114*2d543d20SAndroid Build Coastguard Worker symtab_datum_t s; 115*2d543d20SAndroid Build Coastguard Worker char *comkey; /* common name */ 116*2d543d20SAndroid Build Coastguard Worker common_datum_t *comdatum; /* common datum */ 117*2d543d20SAndroid Build Coastguard Worker symtab_t permissions; /* class-specific permission symbol table */ 118*2d543d20SAndroid Build Coastguard Worker constraint_node_t *constraints; /* constraints on class permissions */ 119*2d543d20SAndroid Build Coastguard Worker constraint_node_t *validatetrans; /* special transition rules */ 120*2d543d20SAndroid Build Coastguard Worker /* Options how a new object user and role should be decided */ 121*2d543d20SAndroid Build Coastguard Worker #define DEFAULT_SOURCE 1 122*2d543d20SAndroid Build Coastguard Worker #define DEFAULT_TARGET 2 123*2d543d20SAndroid Build Coastguard Worker char default_user; 124*2d543d20SAndroid Build Coastguard Worker char default_role; 125*2d543d20SAndroid Build Coastguard Worker char default_type; 126*2d543d20SAndroid Build Coastguard Worker /* Options how a new object range should be decided */ 127*2d543d20SAndroid Build Coastguard Worker #define DEFAULT_SOURCE_LOW 1 128*2d543d20SAndroid Build Coastguard Worker #define DEFAULT_SOURCE_HIGH 2 129*2d543d20SAndroid Build Coastguard Worker #define DEFAULT_SOURCE_LOW_HIGH 3 130*2d543d20SAndroid Build Coastguard Worker #define DEFAULT_TARGET_LOW 4 131*2d543d20SAndroid Build Coastguard Worker #define DEFAULT_TARGET_HIGH 5 132*2d543d20SAndroid Build Coastguard Worker #define DEFAULT_TARGET_LOW_HIGH 6 133*2d543d20SAndroid Build Coastguard Worker #define DEFAULT_GLBLUB 7 134*2d543d20SAndroid Build Coastguard Worker char default_range; 135*2d543d20SAndroid Build Coastguard Worker } class_datum_t; 136*2d543d20SAndroid Build Coastguard Worker 137*2d543d20SAndroid Build Coastguard Worker /* Role attributes */ 138*2d543d20SAndroid Build Coastguard Worker typedef struct role_datum { 139*2d543d20SAndroid Build Coastguard Worker symtab_datum_t s; 140*2d543d20SAndroid Build Coastguard Worker ebitmap_t dominates; /* set of roles dominated by this role */ 141*2d543d20SAndroid Build Coastguard Worker type_set_t types; /* set of authorized types for role */ 142*2d543d20SAndroid Build Coastguard Worker ebitmap_t cache; /* This is an expanded set used for context validation during parsing */ 143*2d543d20SAndroid Build Coastguard Worker uint32_t bounds; /* bounds role, if exist */ 144*2d543d20SAndroid Build Coastguard Worker #define ROLE_ROLE 0 /* regular role in kernel policies */ 145*2d543d20SAndroid Build Coastguard Worker #define ROLE_ATTRIB 1 /* attribute */ 146*2d543d20SAndroid Build Coastguard Worker uint32_t flavor; 147*2d543d20SAndroid Build Coastguard Worker ebitmap_t roles; /* roles with this attribute */ 148*2d543d20SAndroid Build Coastguard Worker } role_datum_t; 149*2d543d20SAndroid Build Coastguard Worker 150*2d543d20SAndroid Build Coastguard Worker typedef struct role_trans { 151*2d543d20SAndroid Build Coastguard Worker uint32_t role; /* current role */ 152*2d543d20SAndroid Build Coastguard Worker uint32_t type; /* program executable type, or new object type */ 153*2d543d20SAndroid Build Coastguard Worker uint32_t tclass; /* process class, or new object class */ 154*2d543d20SAndroid Build Coastguard Worker uint32_t new_role; /* new role */ 155*2d543d20SAndroid Build Coastguard Worker struct role_trans *next; 156*2d543d20SAndroid Build Coastguard Worker } role_trans_t; 157*2d543d20SAndroid Build Coastguard Worker 158*2d543d20SAndroid Build Coastguard Worker typedef struct role_allow { 159*2d543d20SAndroid Build Coastguard Worker uint32_t role; /* current role */ 160*2d543d20SAndroid Build Coastguard Worker uint32_t new_role; /* new role */ 161*2d543d20SAndroid Build Coastguard Worker struct role_allow *next; 162*2d543d20SAndroid Build Coastguard Worker } role_allow_t; 163*2d543d20SAndroid Build Coastguard Worker 164*2d543d20SAndroid Build Coastguard Worker /* filename_trans rules */ 165*2d543d20SAndroid Build Coastguard Worker typedef struct filename_trans_key { 166*2d543d20SAndroid Build Coastguard Worker uint32_t ttype; 167*2d543d20SAndroid Build Coastguard Worker uint32_t tclass; 168*2d543d20SAndroid Build Coastguard Worker char *name; 169*2d543d20SAndroid Build Coastguard Worker } filename_trans_key_t; 170*2d543d20SAndroid Build Coastguard Worker 171*2d543d20SAndroid Build Coastguard Worker typedef struct filename_trans_datum { 172*2d543d20SAndroid Build Coastguard Worker ebitmap_t stypes; 173*2d543d20SAndroid Build Coastguard Worker uint32_t otype; 174*2d543d20SAndroid Build Coastguard Worker struct filename_trans_datum *next; 175*2d543d20SAndroid Build Coastguard Worker } filename_trans_datum_t; 176*2d543d20SAndroid Build Coastguard Worker 177*2d543d20SAndroid Build Coastguard Worker /* Type attributes */ 178*2d543d20SAndroid Build Coastguard Worker typedef struct type_datum { 179*2d543d20SAndroid Build Coastguard Worker symtab_datum_t s; 180*2d543d20SAndroid Build Coastguard Worker uint32_t primary; /* primary name? can be set to primary value if below is TYPE_ */ 181*2d543d20SAndroid Build Coastguard Worker #define TYPE_TYPE 0 /* regular type or alias in kernel policies */ 182*2d543d20SAndroid Build Coastguard Worker #define TYPE_ATTRIB 1 /* attribute */ 183*2d543d20SAndroid Build Coastguard Worker #define TYPE_ALIAS 2 /* alias in modular policy */ 184*2d543d20SAndroid Build Coastguard Worker uint32_t flavor; 185*2d543d20SAndroid Build Coastguard Worker ebitmap_t types; /* types with this attribute */ 186*2d543d20SAndroid Build Coastguard Worker #define TYPE_FLAGS_PERMISSIVE (1 << 0) 187*2d543d20SAndroid Build Coastguard Worker #define TYPE_FLAGS_EXPAND_ATTR_TRUE (1 << 1) 188*2d543d20SAndroid Build Coastguard Worker #define TYPE_FLAGS_EXPAND_ATTR_FALSE (1 << 2) 189*2d543d20SAndroid Build Coastguard Worker #define TYPE_FLAGS_EXPAND_ATTR (TYPE_FLAGS_EXPAND_ATTR_TRUE | \ 190*2d543d20SAndroid Build Coastguard Worker TYPE_FLAGS_EXPAND_ATTR_FALSE) 191*2d543d20SAndroid Build Coastguard Worker uint32_t flags; 192*2d543d20SAndroid Build Coastguard Worker uint32_t bounds; /* bounds type, if exist */ 193*2d543d20SAndroid Build Coastguard Worker } type_datum_t; 194*2d543d20SAndroid Build Coastguard Worker 195*2d543d20SAndroid Build Coastguard Worker /* 196*2d543d20SAndroid Build Coastguard Worker * Properties of type_datum 197*2d543d20SAndroid Build Coastguard Worker * available on the policy version >= (MOD_)POLICYDB_VERSION_BOUNDARY 198*2d543d20SAndroid Build Coastguard Worker */ 199*2d543d20SAndroid Build Coastguard Worker #define TYPEDATUM_PROPERTY_PRIMARY 0x0001 200*2d543d20SAndroid Build Coastguard Worker #define TYPEDATUM_PROPERTY_ATTRIBUTE 0x0002 201*2d543d20SAndroid Build Coastguard Worker #define TYPEDATUM_PROPERTY_ALIAS 0x0004 /* userspace only */ 202*2d543d20SAndroid Build Coastguard Worker #define TYPEDATUM_PROPERTY_PERMISSIVE 0x0008 /* userspace only */ 203*2d543d20SAndroid Build Coastguard Worker 204*2d543d20SAndroid Build Coastguard Worker /* User attributes */ 205*2d543d20SAndroid Build Coastguard Worker typedef struct user_datum { 206*2d543d20SAndroid Build Coastguard Worker symtab_datum_t s; 207*2d543d20SAndroid Build Coastguard Worker role_set_t roles; /* set of authorized roles for user */ 208*2d543d20SAndroid Build Coastguard Worker mls_semantic_range_t range; /* MLS range (min. - max.) for user */ 209*2d543d20SAndroid Build Coastguard Worker mls_semantic_level_t dfltlevel; /* default login MLS level for user */ 210*2d543d20SAndroid Build Coastguard Worker ebitmap_t cache; /* This is an expanded set used for context validation during parsing */ 211*2d543d20SAndroid Build Coastguard Worker mls_range_t exp_range; /* expanded range used for validation */ 212*2d543d20SAndroid Build Coastguard Worker mls_level_t exp_dfltlevel; /* expanded range used for validation */ 213*2d543d20SAndroid Build Coastguard Worker uint32_t bounds; /* bounds user, if exist */ 214*2d543d20SAndroid Build Coastguard Worker } user_datum_t; 215*2d543d20SAndroid Build Coastguard Worker 216*2d543d20SAndroid Build Coastguard Worker /* Sensitivity attributes */ 217*2d543d20SAndroid Build Coastguard Worker typedef struct level_datum { 218*2d543d20SAndroid Build Coastguard Worker mls_level_t *level; /* sensitivity and associated categories */ 219*2d543d20SAndroid Build Coastguard Worker unsigned char isalias; /* is this sensitivity an alias for another? */ 220*2d543d20SAndroid Build Coastguard Worker unsigned char notdefined; /* Only set to non-zero in checkpolicy */ 221*2d543d20SAndroid Build Coastguard Worker } level_datum_t; 222*2d543d20SAndroid Build Coastguard Worker 223*2d543d20SAndroid Build Coastguard Worker /* Category attributes */ 224*2d543d20SAndroid Build Coastguard Worker typedef struct cat_datum { 225*2d543d20SAndroid Build Coastguard Worker symtab_datum_t s; 226*2d543d20SAndroid Build Coastguard Worker unsigned char isalias; /* is this category an alias for another? */ 227*2d543d20SAndroid Build Coastguard Worker } cat_datum_t; 228*2d543d20SAndroid Build Coastguard Worker 229*2d543d20SAndroid Build Coastguard Worker typedef struct range_trans { 230*2d543d20SAndroid Build Coastguard Worker uint32_t source_type; 231*2d543d20SAndroid Build Coastguard Worker uint32_t target_type; 232*2d543d20SAndroid Build Coastguard Worker uint32_t target_class; 233*2d543d20SAndroid Build Coastguard Worker } range_trans_t; 234*2d543d20SAndroid Build Coastguard Worker 235*2d543d20SAndroid Build Coastguard Worker /* Boolean data type */ 236*2d543d20SAndroid Build Coastguard Worker typedef struct cond_bool_datum { 237*2d543d20SAndroid Build Coastguard Worker symtab_datum_t s; 238*2d543d20SAndroid Build Coastguard Worker int state; 239*2d543d20SAndroid Build Coastguard Worker #define COND_BOOL_FLAGS_TUNABLE 0x01 /* is this a tunable? */ 240*2d543d20SAndroid Build Coastguard Worker uint32_t flags; 241*2d543d20SAndroid Build Coastguard Worker } cond_bool_datum_t; 242*2d543d20SAndroid Build Coastguard Worker 243*2d543d20SAndroid Build Coastguard Worker struct cond_node; 244*2d543d20SAndroid Build Coastguard Worker 245*2d543d20SAndroid Build Coastguard Worker typedef struct cond_node cond_list_t; 246*2d543d20SAndroid Build Coastguard Worker struct cond_av_list; 247*2d543d20SAndroid Build Coastguard Worker 248*2d543d20SAndroid Build Coastguard Worker typedef struct class_perm_node { 249*2d543d20SAndroid Build Coastguard Worker uint32_t tclass; 250*2d543d20SAndroid Build Coastguard Worker uint32_t data; /* permissions or new type */ 251*2d543d20SAndroid Build Coastguard Worker struct class_perm_node *next; 252*2d543d20SAndroid Build Coastguard Worker } class_perm_node_t; 253*2d543d20SAndroid Build Coastguard Worker 254*2d543d20SAndroid Build Coastguard Worker #define xperm_test(x, p) (UINT32_C(1) & ((p)[(x) >> 5] >> ((x) & 0x1f))) 255*2d543d20SAndroid Build Coastguard Worker #define xperm_set(x, p) ((p)[(x) >> 5] |= (UINT32_C(1) << ((x) & 0x1f))) 256*2d543d20SAndroid Build Coastguard Worker #define xperm_clear(x, p) ((p)[(x) >> 5] &= ~(UINT32_C(1) << ((x) & 0x1f))) 257*2d543d20SAndroid Build Coastguard Worker #define EXTENDED_PERMS_LEN 8 258*2d543d20SAndroid Build Coastguard Worker 259*2d543d20SAndroid Build Coastguard Worker typedef struct av_extended_perms { 260*2d543d20SAndroid Build Coastguard Worker #define AVRULE_XPERMS_IOCTLFUNCTION 0x01 261*2d543d20SAndroid Build Coastguard Worker #define AVRULE_XPERMS_IOCTLDRIVER 0x02 262*2d543d20SAndroid Build Coastguard Worker #define AVRULE_XPERMS_NLMSG 0x03 263*2d543d20SAndroid Build Coastguard Worker uint8_t specified; 264*2d543d20SAndroid Build Coastguard Worker uint8_t driver; 265*2d543d20SAndroid Build Coastguard Worker /* 256 bits of permissions */ 266*2d543d20SAndroid Build Coastguard Worker uint32_t perms[EXTENDED_PERMS_LEN]; 267*2d543d20SAndroid Build Coastguard Worker } av_extended_perms_t; 268*2d543d20SAndroid Build Coastguard Worker 269*2d543d20SAndroid Build Coastguard Worker typedef struct avrule { 270*2d543d20SAndroid Build Coastguard Worker /* these typedefs are almost exactly the same as those in avtab.h - they are 271*2d543d20SAndroid Build Coastguard Worker * here because of the need to include neverallow and dontaudit messages */ 272*2d543d20SAndroid Build Coastguard Worker #define AVRULE_ALLOWED AVTAB_ALLOWED 273*2d543d20SAndroid Build Coastguard Worker #define AVRULE_AUDITALLOW AVTAB_AUDITALLOW 274*2d543d20SAndroid Build Coastguard Worker #define AVRULE_AUDITDENY AVTAB_AUDITDENY 275*2d543d20SAndroid Build Coastguard Worker #define AVRULE_DONTAUDIT 0x0008 276*2d543d20SAndroid Build Coastguard Worker #define AVRULE_NEVERALLOW AVTAB_NEVERALLOW 277*2d543d20SAndroid Build Coastguard Worker #define AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_AUDITDENY | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW) 278*2d543d20SAndroid Build Coastguard Worker #define AVRULE_TRANSITION AVTAB_TRANSITION 279*2d543d20SAndroid Build Coastguard Worker #define AVRULE_MEMBER AVTAB_MEMBER 280*2d543d20SAndroid Build Coastguard Worker #define AVRULE_CHANGE AVTAB_CHANGE 281*2d543d20SAndroid Build Coastguard Worker #define AVRULE_TYPE (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE) 282*2d543d20SAndroid Build Coastguard Worker #define AVRULE_XPERMS_ALLOWED AVTAB_XPERMS_ALLOWED 283*2d543d20SAndroid Build Coastguard Worker #define AVRULE_XPERMS_AUDITALLOW AVTAB_XPERMS_AUDITALLOW 284*2d543d20SAndroid Build Coastguard Worker #define AVRULE_XPERMS_DONTAUDIT AVTAB_XPERMS_DONTAUDIT 285*2d543d20SAndroid Build Coastguard Worker #define AVRULE_XPERMS_NEVERALLOW AVTAB_XPERMS_NEVERALLOW 286*2d543d20SAndroid Build Coastguard Worker #define AVRULE_XPERMS (AVRULE_XPERMS_ALLOWED | AVRULE_XPERMS_AUDITALLOW | \ 287*2d543d20SAndroid Build Coastguard Worker AVRULE_XPERMS_DONTAUDIT | AVRULE_XPERMS_NEVERALLOW) 288*2d543d20SAndroid Build Coastguard Worker uint32_t specified; 289*2d543d20SAndroid Build Coastguard Worker #define RULE_SELF (1U << 0) 290*2d543d20SAndroid Build Coastguard Worker #define RULE_NOTSELF (1U << 1) 291*2d543d20SAndroid Build Coastguard Worker uint32_t flags; 292*2d543d20SAndroid Build Coastguard Worker type_set_t stypes; 293*2d543d20SAndroid Build Coastguard Worker type_set_t ttypes; 294*2d543d20SAndroid Build Coastguard Worker class_perm_node_t *perms; 295*2d543d20SAndroid Build Coastguard Worker av_extended_perms_t *xperms; 296*2d543d20SAndroid Build Coastguard Worker unsigned long line; /* line number from policy.conf where 297*2d543d20SAndroid Build Coastguard Worker * this rule originated */ 298*2d543d20SAndroid Build Coastguard Worker /* source file name and line number (e.g. .te file) */ 299*2d543d20SAndroid Build Coastguard Worker char *source_filename; 300*2d543d20SAndroid Build Coastguard Worker unsigned long source_line; 301*2d543d20SAndroid Build Coastguard Worker struct avrule *next; 302*2d543d20SAndroid Build Coastguard Worker } avrule_t; 303*2d543d20SAndroid Build Coastguard Worker 304*2d543d20SAndroid Build Coastguard Worker typedef struct role_trans_rule { 305*2d543d20SAndroid Build Coastguard Worker role_set_t roles; /* current role */ 306*2d543d20SAndroid Build Coastguard Worker type_set_t types; /* program executable type, or new object type */ 307*2d543d20SAndroid Build Coastguard Worker ebitmap_t classes; /* process class, or new object class */ 308*2d543d20SAndroid Build Coastguard Worker uint32_t new_role; /* new role */ 309*2d543d20SAndroid Build Coastguard Worker struct role_trans_rule *next; 310*2d543d20SAndroid Build Coastguard Worker } role_trans_rule_t; 311*2d543d20SAndroid Build Coastguard Worker 312*2d543d20SAndroid Build Coastguard Worker typedef struct role_allow_rule { 313*2d543d20SAndroid Build Coastguard Worker role_set_t roles; /* current role */ 314*2d543d20SAndroid Build Coastguard Worker role_set_t new_roles; /* new roles */ 315*2d543d20SAndroid Build Coastguard Worker struct role_allow_rule *next; 316*2d543d20SAndroid Build Coastguard Worker } role_allow_rule_t; 317*2d543d20SAndroid Build Coastguard Worker 318*2d543d20SAndroid Build Coastguard Worker typedef struct filename_trans_rule { 319*2d543d20SAndroid Build Coastguard Worker uint32_t flags; /* may have RULE_SELF set */ 320*2d543d20SAndroid Build Coastguard Worker type_set_t stypes; 321*2d543d20SAndroid Build Coastguard Worker type_set_t ttypes; 322*2d543d20SAndroid Build Coastguard Worker uint32_t tclass; 323*2d543d20SAndroid Build Coastguard Worker char *name; 324*2d543d20SAndroid Build Coastguard Worker uint32_t otype; /* new type */ 325*2d543d20SAndroid Build Coastguard Worker struct filename_trans_rule *next; 326*2d543d20SAndroid Build Coastguard Worker } filename_trans_rule_t; 327*2d543d20SAndroid Build Coastguard Worker 328*2d543d20SAndroid Build Coastguard Worker typedef struct range_trans_rule { 329*2d543d20SAndroid Build Coastguard Worker type_set_t stypes; 330*2d543d20SAndroid Build Coastguard Worker type_set_t ttypes; 331*2d543d20SAndroid Build Coastguard Worker ebitmap_t tclasses; 332*2d543d20SAndroid Build Coastguard Worker mls_semantic_range_t trange; 333*2d543d20SAndroid Build Coastguard Worker struct range_trans_rule *next; 334*2d543d20SAndroid Build Coastguard Worker } range_trans_rule_t; 335*2d543d20SAndroid Build Coastguard Worker 336*2d543d20SAndroid Build Coastguard Worker /* 337*2d543d20SAndroid Build Coastguard Worker * The configuration data includes security contexts for 338*2d543d20SAndroid Build Coastguard Worker * initial SIDs, unlabeled file systems, TCP and UDP port numbers, 339*2d543d20SAndroid Build Coastguard Worker * network interfaces, and nodes. This structure stores the 340*2d543d20SAndroid Build Coastguard Worker * relevant data for one such entry. Entries of the same kind 341*2d543d20SAndroid Build Coastguard Worker * (e.g. all initial SIDs) are linked together into a list. 342*2d543d20SAndroid Build Coastguard Worker */ 343*2d543d20SAndroid Build Coastguard Worker typedef struct ocontext { 344*2d543d20SAndroid Build Coastguard Worker union { 345*2d543d20SAndroid Build Coastguard Worker char *name; /* name of initial SID, fs, netif, fstype, path */ 346*2d543d20SAndroid Build Coastguard Worker struct { 347*2d543d20SAndroid Build Coastguard Worker uint8_t protocol; 348*2d543d20SAndroid Build Coastguard Worker uint16_t low_port; 349*2d543d20SAndroid Build Coastguard Worker uint16_t high_port; 350*2d543d20SAndroid Build Coastguard Worker } port; /* TCP or UDP port information */ 351*2d543d20SAndroid Build Coastguard Worker struct { 352*2d543d20SAndroid Build Coastguard Worker uint32_t addr; /* network order */ 353*2d543d20SAndroid Build Coastguard Worker uint32_t mask; /* network order */ 354*2d543d20SAndroid Build Coastguard Worker } node; /* node information */ 355*2d543d20SAndroid Build Coastguard Worker struct { 356*2d543d20SAndroid Build Coastguard Worker uint32_t addr[4]; /* network order */ 357*2d543d20SAndroid Build Coastguard Worker uint32_t mask[4]; /* network order */ 358*2d543d20SAndroid Build Coastguard Worker } node6; /* IPv6 node information */ 359*2d543d20SAndroid Build Coastguard Worker uint32_t device; 360*2d543d20SAndroid Build Coastguard Worker uint16_t pirq; 361*2d543d20SAndroid Build Coastguard Worker struct { 362*2d543d20SAndroid Build Coastguard Worker uint64_t low_iomem; 363*2d543d20SAndroid Build Coastguard Worker uint64_t high_iomem; 364*2d543d20SAndroid Build Coastguard Worker } iomem; 365*2d543d20SAndroid Build Coastguard Worker struct { 366*2d543d20SAndroid Build Coastguard Worker uint32_t low_ioport; 367*2d543d20SAndroid Build Coastguard Worker uint32_t high_ioport; 368*2d543d20SAndroid Build Coastguard Worker } ioport; 369*2d543d20SAndroid Build Coastguard Worker struct { 370*2d543d20SAndroid Build Coastguard Worker uint64_t subnet_prefix; 371*2d543d20SAndroid Build Coastguard Worker uint16_t low_pkey; 372*2d543d20SAndroid Build Coastguard Worker uint16_t high_pkey; 373*2d543d20SAndroid Build Coastguard Worker } ibpkey; 374*2d543d20SAndroid Build Coastguard Worker struct { 375*2d543d20SAndroid Build Coastguard Worker char *dev_name; 376*2d543d20SAndroid Build Coastguard Worker uint8_t port; 377*2d543d20SAndroid Build Coastguard Worker } ibendport; 378*2d543d20SAndroid Build Coastguard Worker } u; 379*2d543d20SAndroid Build Coastguard Worker union { 380*2d543d20SAndroid Build Coastguard Worker uint32_t sclass; /* security class for genfs */ 381*2d543d20SAndroid Build Coastguard Worker uint32_t behavior; /* labeling behavior for fs_use */ 382*2d543d20SAndroid Build Coastguard Worker } v; 383*2d543d20SAndroid Build Coastguard Worker context_struct_t context[2]; /* security context(s) */ 384*2d543d20SAndroid Build Coastguard Worker sepol_security_id_t sid[2]; /* SID(s) */ 385*2d543d20SAndroid Build Coastguard Worker struct ocontext *next; 386*2d543d20SAndroid Build Coastguard Worker } ocontext_t; 387*2d543d20SAndroid Build Coastguard Worker 388*2d543d20SAndroid Build Coastguard Worker typedef struct genfs { 389*2d543d20SAndroid Build Coastguard Worker char *fstype; 390*2d543d20SAndroid Build Coastguard Worker struct ocontext *head; 391*2d543d20SAndroid Build Coastguard Worker struct genfs *next; 392*2d543d20SAndroid Build Coastguard Worker } genfs_t; 393*2d543d20SAndroid Build Coastguard Worker 394*2d543d20SAndroid Build Coastguard Worker /* symbol table array indices */ 395*2d543d20SAndroid Build Coastguard Worker #define SYM_COMMONS 0 396*2d543d20SAndroid Build Coastguard Worker #define SYM_CLASSES 1 397*2d543d20SAndroid Build Coastguard Worker #define SYM_ROLES 2 398*2d543d20SAndroid Build Coastguard Worker #define SYM_TYPES 3 399*2d543d20SAndroid Build Coastguard Worker #define SYM_USERS 4 400*2d543d20SAndroid Build Coastguard Worker #define SYM_BOOLS 5 401*2d543d20SAndroid Build Coastguard Worker #define SYM_LEVELS 6 402*2d543d20SAndroid Build Coastguard Worker #define SYM_CATS 7 403*2d543d20SAndroid Build Coastguard Worker #define SYM_NUM 8 404*2d543d20SAndroid Build Coastguard Worker 405*2d543d20SAndroid Build Coastguard Worker /* object context array indices */ 406*2d543d20SAndroid Build Coastguard Worker #define OCON_ISID 0 /* initial SIDs */ 407*2d543d20SAndroid Build Coastguard Worker #define OCON_FS 1 /* unlabeled file systems */ 408*2d543d20SAndroid Build Coastguard Worker #define OCON_PORT 2 /* TCP and UDP port numbers */ 409*2d543d20SAndroid Build Coastguard Worker #define OCON_NETIF 3 /* network interfaces */ 410*2d543d20SAndroid Build Coastguard Worker #define OCON_NODE 4 /* nodes */ 411*2d543d20SAndroid Build Coastguard Worker #define OCON_FSUSE 5 /* fs_use */ 412*2d543d20SAndroid Build Coastguard Worker #define OCON_NODE6 6 /* IPv6 nodes */ 413*2d543d20SAndroid Build Coastguard Worker #define OCON_IBPKEY 7 /* Infiniband PKEY */ 414*2d543d20SAndroid Build Coastguard Worker #define OCON_IBENDPORT 8 /* Infiniband End Port */ 415*2d543d20SAndroid Build Coastguard Worker 416*2d543d20SAndroid Build Coastguard Worker /* object context array indices for Xen */ 417*2d543d20SAndroid Build Coastguard Worker #define OCON_XEN_ISID 0 /* initial SIDs */ 418*2d543d20SAndroid Build Coastguard Worker #define OCON_XEN_PIRQ 1 /* physical irqs */ 419*2d543d20SAndroid Build Coastguard Worker #define OCON_XEN_IOPORT 2 /* io ports */ 420*2d543d20SAndroid Build Coastguard Worker #define OCON_XEN_IOMEM 3 /* io memory */ 421*2d543d20SAndroid Build Coastguard Worker #define OCON_XEN_PCIDEVICE 4 /* pci devices */ 422*2d543d20SAndroid Build Coastguard Worker #define OCON_XEN_DEVICETREE 5 /* device tree node */ 423*2d543d20SAndroid Build Coastguard Worker 424*2d543d20SAndroid Build Coastguard Worker /* OCON_NUM needs to be the largest index in any platform's ocontext array */ 425*2d543d20SAndroid Build Coastguard Worker #define OCON_NUM 9 426*2d543d20SAndroid Build Coastguard Worker 427*2d543d20SAndroid Build Coastguard Worker /* section: module information */ 428*2d543d20SAndroid Build Coastguard Worker 429*2d543d20SAndroid Build Coastguard Worker /* scope_index_t holds all of the symbols that are in scope in a 430*2d543d20SAndroid Build Coastguard Worker * particular situation. The bitmaps are indices (and thus must 431*2d543d20SAndroid Build Coastguard Worker * subtract one) into the global policydb->scope array. */ 432*2d543d20SAndroid Build Coastguard Worker typedef struct scope_index { 433*2d543d20SAndroid Build Coastguard Worker ebitmap_t scope[SYM_NUM]; 434*2d543d20SAndroid Build Coastguard Worker #define p_classes_scope scope[SYM_CLASSES] 435*2d543d20SAndroid Build Coastguard Worker #define p_roles_scope scope[SYM_ROLES] 436*2d543d20SAndroid Build Coastguard Worker #define p_types_scope scope[SYM_TYPES] 437*2d543d20SAndroid Build Coastguard Worker #define p_users_scope scope[SYM_USERS] 438*2d543d20SAndroid Build Coastguard Worker #define p_bools_scope scope[SYM_BOOLS] 439*2d543d20SAndroid Build Coastguard Worker #define p_sens_scope scope[SYM_LEVELS] 440*2d543d20SAndroid Build Coastguard Worker #define p_cat_scope scope[SYM_CATS] 441*2d543d20SAndroid Build Coastguard Worker 442*2d543d20SAndroid Build Coastguard Worker /* this array maps from class->value to the permissions within 443*2d543d20SAndroid Build Coastguard Worker * scope. if bit (perm->value - 1) is set in map 444*2d543d20SAndroid Build Coastguard Worker * class_perms_map[class->value - 1] then that permission is 445*2d543d20SAndroid Build Coastguard Worker * enabled for this class within this decl. */ 446*2d543d20SAndroid Build Coastguard Worker ebitmap_t *class_perms_map; 447*2d543d20SAndroid Build Coastguard Worker /* total number of classes in class_perms_map array */ 448*2d543d20SAndroid Build Coastguard Worker uint32_t class_perms_len; 449*2d543d20SAndroid Build Coastguard Worker } scope_index_t; 450*2d543d20SAndroid Build Coastguard Worker 451*2d543d20SAndroid Build Coastguard Worker /* a list of declarations for a particular avrule_decl */ 452*2d543d20SAndroid Build Coastguard Worker 453*2d543d20SAndroid Build Coastguard Worker /* These two structs declare a block of policy that has TE and RBAC 454*2d543d20SAndroid Build Coastguard Worker * statements and declarations. The root block (the global policy) 455*2d543d20SAndroid Build Coastguard Worker * can never have an ELSE branch. */ 456*2d543d20SAndroid Build Coastguard Worker typedef struct avrule_decl { 457*2d543d20SAndroid Build Coastguard Worker uint32_t decl_id; 458*2d543d20SAndroid Build Coastguard Worker uint32_t enabled; /* whether this block is enabled */ 459*2d543d20SAndroid Build Coastguard Worker 460*2d543d20SAndroid Build Coastguard Worker cond_list_t *cond_list; 461*2d543d20SAndroid Build Coastguard Worker avrule_t *avrules; 462*2d543d20SAndroid Build Coastguard Worker role_trans_rule_t *role_tr_rules; 463*2d543d20SAndroid Build Coastguard Worker role_allow_rule_t *role_allow_rules; 464*2d543d20SAndroid Build Coastguard Worker range_trans_rule_t *range_tr_rules; 465*2d543d20SAndroid Build Coastguard Worker scope_index_t required; /* symbols needed to activate this block */ 466*2d543d20SAndroid Build Coastguard Worker scope_index_t declared; /* symbols declared within this block */ 467*2d543d20SAndroid Build Coastguard Worker 468*2d543d20SAndroid Build Coastguard Worker /* type transition rules with a 'name' component */ 469*2d543d20SAndroid Build Coastguard Worker filename_trans_rule_t *filename_trans_rules; 470*2d543d20SAndroid Build Coastguard Worker 471*2d543d20SAndroid Build Coastguard Worker /* for additive statements (type attribute, roles, and users) */ 472*2d543d20SAndroid Build Coastguard Worker symtab_t symtab[SYM_NUM]; 473*2d543d20SAndroid Build Coastguard Worker 474*2d543d20SAndroid Build Coastguard Worker /* In a linked module this will contain the name of the module 475*2d543d20SAndroid Build Coastguard Worker * from which this avrule_decl originated. */ 476*2d543d20SAndroid Build Coastguard Worker char *module_name; 477*2d543d20SAndroid Build Coastguard Worker 478*2d543d20SAndroid Build Coastguard Worker struct avrule_decl *next; 479*2d543d20SAndroid Build Coastguard Worker } avrule_decl_t; 480*2d543d20SAndroid Build Coastguard Worker 481*2d543d20SAndroid Build Coastguard Worker typedef struct avrule_block { 482*2d543d20SAndroid Build Coastguard Worker avrule_decl_t *branch_list; 483*2d543d20SAndroid Build Coastguard Worker avrule_decl_t *enabled; /* pointer to which branch is enabled. this is 484*2d543d20SAndroid Build Coastguard Worker used in linking and never written to disk */ 485*2d543d20SAndroid Build Coastguard Worker #define AVRULE_OPTIONAL 1 486*2d543d20SAndroid Build Coastguard Worker uint32_t flags; /* any flags for this block, currently just optional */ 487*2d543d20SAndroid Build Coastguard Worker struct avrule_block *next; 488*2d543d20SAndroid Build Coastguard Worker } avrule_block_t; 489*2d543d20SAndroid Build Coastguard Worker 490*2d543d20SAndroid Build Coastguard Worker /* Every identifier has its own scope datum. The datum describes if 491*2d543d20SAndroid Build Coastguard Worker * the item is to be included into the final policy during 492*2d543d20SAndroid Build Coastguard Worker * expansion. */ 493*2d543d20SAndroid Build Coastguard Worker typedef struct scope_datum { 494*2d543d20SAndroid Build Coastguard Worker /* Required for this decl */ 495*2d543d20SAndroid Build Coastguard Worker #define SCOPE_REQ 1 496*2d543d20SAndroid Build Coastguard Worker /* Declared in this decl */ 497*2d543d20SAndroid Build Coastguard Worker #define SCOPE_DECL 2 498*2d543d20SAndroid Build Coastguard Worker uint32_t scope; 499*2d543d20SAndroid Build Coastguard Worker uint32_t *decl_ids; 500*2d543d20SAndroid Build Coastguard Worker uint32_t decl_ids_len; 501*2d543d20SAndroid Build Coastguard Worker /* decl_ids is a list of avrule_decl's that declare/require 502*2d543d20SAndroid Build Coastguard Worker * this symbol. If scope==SCOPE_DECL then this is a list of 503*2d543d20SAndroid Build Coastguard Worker * declarations. If the symbol may only be declared once 504*2d543d20SAndroid Build Coastguard Worker * (types, bools) then decl_ids_len will be exactly 1. For 505*2d543d20SAndroid Build Coastguard Worker * implicitly declared things (roles, users) then decl_ids_len 506*2d543d20SAndroid Build Coastguard Worker * will be at least 1. */ 507*2d543d20SAndroid Build Coastguard Worker } scope_datum_t; 508*2d543d20SAndroid Build Coastguard Worker 509*2d543d20SAndroid Build Coastguard Worker /* The policy database */ 510*2d543d20SAndroid Build Coastguard Worker typedef struct policydb { 511*2d543d20SAndroid Build Coastguard Worker #define POLICY_KERN SEPOL_POLICY_KERN 512*2d543d20SAndroid Build Coastguard Worker #define POLICY_BASE SEPOL_POLICY_BASE 513*2d543d20SAndroid Build Coastguard Worker #define POLICY_MOD SEPOL_POLICY_MOD 514*2d543d20SAndroid Build Coastguard Worker uint32_t policy_type; 515*2d543d20SAndroid Build Coastguard Worker char *name; 516*2d543d20SAndroid Build Coastguard Worker char *version; 517*2d543d20SAndroid Build Coastguard Worker int target_platform; 518*2d543d20SAndroid Build Coastguard Worker 519*2d543d20SAndroid Build Coastguard Worker /* Set when the policydb is modified such that writing is unsupported */ 520*2d543d20SAndroid Build Coastguard Worker int unsupported_format; 521*2d543d20SAndroid Build Coastguard Worker 522*2d543d20SAndroid Build Coastguard Worker /* Whether this policydb is mls, should always be set */ 523*2d543d20SAndroid Build Coastguard Worker int mls; 524*2d543d20SAndroid Build Coastguard Worker 525*2d543d20SAndroid Build Coastguard Worker /* symbol tables */ 526*2d543d20SAndroid Build Coastguard Worker symtab_t symtab[SYM_NUM]; 527*2d543d20SAndroid Build Coastguard Worker #define p_commons symtab[SYM_COMMONS] 528*2d543d20SAndroid Build Coastguard Worker #define p_classes symtab[SYM_CLASSES] 529*2d543d20SAndroid Build Coastguard Worker #define p_roles symtab[SYM_ROLES] 530*2d543d20SAndroid Build Coastguard Worker #define p_types symtab[SYM_TYPES] 531*2d543d20SAndroid Build Coastguard Worker #define p_users symtab[SYM_USERS] 532*2d543d20SAndroid Build Coastguard Worker #define p_bools symtab[SYM_BOOLS] 533*2d543d20SAndroid Build Coastguard Worker #define p_levels symtab[SYM_LEVELS] 534*2d543d20SAndroid Build Coastguard Worker #define p_cats symtab[SYM_CATS] 535*2d543d20SAndroid Build Coastguard Worker 536*2d543d20SAndroid Build Coastguard Worker /* symbol names indexed by (value - 1) */ 537*2d543d20SAndroid Build Coastguard Worker char **sym_val_to_name[SYM_NUM]; 538*2d543d20SAndroid Build Coastguard Worker #define p_common_val_to_name sym_val_to_name[SYM_COMMONS] 539*2d543d20SAndroid Build Coastguard Worker #define p_class_val_to_name sym_val_to_name[SYM_CLASSES] 540*2d543d20SAndroid Build Coastguard Worker #define p_role_val_to_name sym_val_to_name[SYM_ROLES] 541*2d543d20SAndroid Build Coastguard Worker #define p_type_val_to_name sym_val_to_name[SYM_TYPES] 542*2d543d20SAndroid Build Coastguard Worker #define p_user_val_to_name sym_val_to_name[SYM_USERS] 543*2d543d20SAndroid Build Coastguard Worker #define p_bool_val_to_name sym_val_to_name[SYM_BOOLS] 544*2d543d20SAndroid Build Coastguard Worker #define p_sens_val_to_name sym_val_to_name[SYM_LEVELS] 545*2d543d20SAndroid Build Coastguard Worker #define p_cat_val_to_name sym_val_to_name[SYM_CATS] 546*2d543d20SAndroid Build Coastguard Worker 547*2d543d20SAndroid Build Coastguard Worker /* class, role, and user attributes indexed by (value - 1) */ 548*2d543d20SAndroid Build Coastguard Worker class_datum_t **class_val_to_struct; 549*2d543d20SAndroid Build Coastguard Worker role_datum_t **role_val_to_struct; 550*2d543d20SAndroid Build Coastguard Worker user_datum_t **user_val_to_struct; 551*2d543d20SAndroid Build Coastguard Worker type_datum_t **type_val_to_struct; 552*2d543d20SAndroid Build Coastguard Worker 553*2d543d20SAndroid Build Coastguard Worker /* module stuff section -- used in parsing and for modules */ 554*2d543d20SAndroid Build Coastguard Worker 555*2d543d20SAndroid Build Coastguard Worker /* keep track of the scope for every identifier. these are 556*2d543d20SAndroid Build Coastguard Worker * hash tables, where the key is the identifier name and value 557*2d543d20SAndroid Build Coastguard Worker * a scope_datum_t. as a convenience, one may use the 558*2d543d20SAndroid Build Coastguard Worker * p_*_macros (cf. struct scope_index_t declaration). */ 559*2d543d20SAndroid Build Coastguard Worker symtab_t scope[SYM_NUM]; 560*2d543d20SAndroid Build Coastguard Worker 561*2d543d20SAndroid Build Coastguard Worker /* module rule storage */ 562*2d543d20SAndroid Build Coastguard Worker avrule_block_t *global; 563*2d543d20SAndroid Build Coastguard Worker /* avrule_decl index used for link/expand */ 564*2d543d20SAndroid Build Coastguard Worker avrule_decl_t **decl_val_to_struct; 565*2d543d20SAndroid Build Coastguard Worker 566*2d543d20SAndroid Build Coastguard Worker /* compiled storage of rules - use for the kernel policy */ 567*2d543d20SAndroid Build Coastguard Worker 568*2d543d20SAndroid Build Coastguard Worker /* type enforcement access vectors and transitions */ 569*2d543d20SAndroid Build Coastguard Worker avtab_t te_avtab; 570*2d543d20SAndroid Build Coastguard Worker 571*2d543d20SAndroid Build Coastguard Worker /* bools indexed by (value - 1) */ 572*2d543d20SAndroid Build Coastguard Worker cond_bool_datum_t **bool_val_to_struct; 573*2d543d20SAndroid Build Coastguard Worker /* type enforcement conditional access vectors and transitions */ 574*2d543d20SAndroid Build Coastguard Worker avtab_t te_cond_avtab; 575*2d543d20SAndroid Build Coastguard Worker /* linked list indexing te_cond_avtab by conditional */ 576*2d543d20SAndroid Build Coastguard Worker cond_list_t *cond_list; 577*2d543d20SAndroid Build Coastguard Worker 578*2d543d20SAndroid Build Coastguard Worker /* role transitions */ 579*2d543d20SAndroid Build Coastguard Worker role_trans_t *role_tr; 580*2d543d20SAndroid Build Coastguard Worker 581*2d543d20SAndroid Build Coastguard Worker /* role allows */ 582*2d543d20SAndroid Build Coastguard Worker role_allow_t *role_allow; 583*2d543d20SAndroid Build Coastguard Worker 584*2d543d20SAndroid Build Coastguard Worker /* security contexts of initial SIDs, unlabeled file systems, 585*2d543d20SAndroid Build Coastguard Worker TCP or UDP port numbers, network interfaces and nodes */ 586*2d543d20SAndroid Build Coastguard Worker ocontext_t *ocontexts[OCON_NUM]; 587*2d543d20SAndroid Build Coastguard Worker 588*2d543d20SAndroid Build Coastguard Worker /* security contexts for files in filesystems that cannot support 589*2d543d20SAndroid Build Coastguard Worker a persistent label mapping or use another 590*2d543d20SAndroid Build Coastguard Worker fixed labeling behavior. */ 591*2d543d20SAndroid Build Coastguard Worker genfs_t *genfs; 592*2d543d20SAndroid Build Coastguard Worker 593*2d543d20SAndroid Build Coastguard Worker /* range transitions table (range_trans_key -> mls_range) */ 594*2d543d20SAndroid Build Coastguard Worker hashtab_t range_tr; 595*2d543d20SAndroid Build Coastguard Worker 596*2d543d20SAndroid Build Coastguard Worker /* file transitions with the last path component */ 597*2d543d20SAndroid Build Coastguard Worker hashtab_t filename_trans; 598*2d543d20SAndroid Build Coastguard Worker uint32_t filename_trans_count; 599*2d543d20SAndroid Build Coastguard Worker 600*2d543d20SAndroid Build Coastguard Worker ebitmap_t *type_attr_map; 601*2d543d20SAndroid Build Coastguard Worker 602*2d543d20SAndroid Build Coastguard Worker ebitmap_t *attr_type_map; /* not saved in the binary policy */ 603*2d543d20SAndroid Build Coastguard Worker 604*2d543d20SAndroid Build Coastguard Worker ebitmap_t policycaps; 605*2d543d20SAndroid Build Coastguard Worker 606*2d543d20SAndroid Build Coastguard Worker /* this bitmap is referenced by type NOT the typical type-1 used in other 607*2d543d20SAndroid Build Coastguard Worker bitmaps. Someday the 0 bit may be used for global permissive */ 608*2d543d20SAndroid Build Coastguard Worker ebitmap_t permissive_map; 609*2d543d20SAndroid Build Coastguard Worker 610*2d543d20SAndroid Build Coastguard Worker unsigned policyvers; 611*2d543d20SAndroid Build Coastguard Worker 612*2d543d20SAndroid Build Coastguard Worker unsigned handle_unknown; 613*2d543d20SAndroid Build Coastguard Worker 614*2d543d20SAndroid Build Coastguard Worker sepol_security_class_t process_class; 615*2d543d20SAndroid Build Coastguard Worker sepol_security_class_t dir_class; 616*2d543d20SAndroid Build Coastguard Worker sepol_access_vector_t process_trans; 617*2d543d20SAndroid Build Coastguard Worker sepol_access_vector_t process_trans_dyntrans; 618*2d543d20SAndroid Build Coastguard Worker } policydb_t; 619*2d543d20SAndroid Build Coastguard Worker 620*2d543d20SAndroid Build Coastguard Worker struct sepol_policydb { 621*2d543d20SAndroid Build Coastguard Worker struct policydb p; 622*2d543d20SAndroid Build Coastguard Worker }; 623*2d543d20SAndroid Build Coastguard Worker 624*2d543d20SAndroid Build Coastguard Worker extern int policydb_init(policydb_t * p); 625*2d543d20SAndroid Build Coastguard Worker 626*2d543d20SAndroid Build Coastguard Worker extern int policydb_from_image(sepol_handle_t * handle, 627*2d543d20SAndroid Build Coastguard Worker void *data, size_t len, policydb_t * policydb); 628*2d543d20SAndroid Build Coastguard Worker 629*2d543d20SAndroid Build Coastguard Worker extern int policydb_to_image(sepol_handle_t * handle, 630*2d543d20SAndroid Build Coastguard Worker policydb_t * policydb, void **newdata, 631*2d543d20SAndroid Build Coastguard Worker size_t * newlen); 632*2d543d20SAndroid Build Coastguard Worker 633*2d543d20SAndroid Build Coastguard Worker extern int policydb_index_classes(policydb_t * p); 634*2d543d20SAndroid Build Coastguard Worker 635*2d543d20SAndroid Build Coastguard Worker extern int policydb_index_bools(policydb_t * p); 636*2d543d20SAndroid Build Coastguard Worker 637*2d543d20SAndroid Build Coastguard Worker extern int policydb_index_others(sepol_handle_t * handle, policydb_t * p, 638*2d543d20SAndroid Build Coastguard Worker unsigned int verbose); 639*2d543d20SAndroid Build Coastguard Worker 640*2d543d20SAndroid Build Coastguard Worker extern int policydb_role_cache(hashtab_key_t key, 641*2d543d20SAndroid Build Coastguard Worker hashtab_datum_t datum, 642*2d543d20SAndroid Build Coastguard Worker void *arg); 643*2d543d20SAndroid Build Coastguard Worker 644*2d543d20SAndroid Build Coastguard Worker extern int policydb_user_cache(hashtab_key_t key, 645*2d543d20SAndroid Build Coastguard Worker hashtab_datum_t datum, 646*2d543d20SAndroid Build Coastguard Worker void *arg); 647*2d543d20SAndroid Build Coastguard Worker 648*2d543d20SAndroid Build Coastguard Worker extern int policydb_reindex_users(policydb_t * p); 649*2d543d20SAndroid Build Coastguard Worker 650*2d543d20SAndroid Build Coastguard Worker extern int policydb_optimize(policydb_t * p); 651*2d543d20SAndroid Build Coastguard Worker 652*2d543d20SAndroid Build Coastguard Worker extern void policydb_destroy(policydb_t * p); 653*2d543d20SAndroid Build Coastguard Worker 654*2d543d20SAndroid Build Coastguard Worker extern int policydb_load_isids(policydb_t * p, sidtab_t * s); 655*2d543d20SAndroid Build Coastguard Worker 656*2d543d20SAndroid Build Coastguard Worker extern int policydb_sort_ocontexts(policydb_t *p); 657*2d543d20SAndroid Build Coastguard Worker 658*2d543d20SAndroid Build Coastguard Worker extern int policydb_filetrans_insert(policydb_t *p, uint32_t stype, 659*2d543d20SAndroid Build Coastguard Worker uint32_t ttype, uint32_t tclass, 660*2d543d20SAndroid Build Coastguard Worker const char *name, char **name_alloc, 661*2d543d20SAndroid Build Coastguard Worker uint32_t otype, uint32_t *present_otype); 662*2d543d20SAndroid Build Coastguard Worker 663*2d543d20SAndroid Build Coastguard Worker /* Deprecated */ 664*2d543d20SAndroid Build Coastguard Worker extern int policydb_context_isvalid(const policydb_t * p, 665*2d543d20SAndroid Build Coastguard Worker const context_struct_t * c); 666*2d543d20SAndroid Build Coastguard Worker 667*2d543d20SAndroid Build Coastguard Worker extern void symtabs_destroy(symtab_t * symtab); 668*2d543d20SAndroid Build Coastguard Worker extern int scope_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p); 669*2d543d20SAndroid Build Coastguard Worker 670*2d543d20SAndroid Build Coastguard Worker extern void class_perm_node_init(class_perm_node_t * x); 671*2d543d20SAndroid Build Coastguard Worker extern void type_set_init(type_set_t * x); 672*2d543d20SAndroid Build Coastguard Worker extern void type_set_destroy(type_set_t * x); 673*2d543d20SAndroid Build Coastguard Worker extern int type_set_cpy(type_set_t * dst, const type_set_t * src); 674*2d543d20SAndroid Build Coastguard Worker extern int type_set_or_eq(type_set_t * dst, const type_set_t * other); 675*2d543d20SAndroid Build Coastguard Worker extern void role_set_init(role_set_t * x); 676*2d543d20SAndroid Build Coastguard Worker extern void role_set_destroy(role_set_t * x); 677*2d543d20SAndroid Build Coastguard Worker extern void avrule_init(avrule_t * x); 678*2d543d20SAndroid Build Coastguard Worker extern void avrule_destroy(avrule_t * x); 679*2d543d20SAndroid Build Coastguard Worker extern void avrule_list_destroy(avrule_t * x); 680*2d543d20SAndroid Build Coastguard Worker extern void role_trans_rule_init(role_trans_rule_t * x); 681*2d543d20SAndroid Build Coastguard Worker extern void role_trans_rule_list_destroy(role_trans_rule_t * x); 682*2d543d20SAndroid Build Coastguard Worker extern void filename_trans_rule_init(filename_trans_rule_t * x); 683*2d543d20SAndroid Build Coastguard Worker extern void filename_trans_rule_list_destroy(filename_trans_rule_t * x); 684*2d543d20SAndroid Build Coastguard Worker 685*2d543d20SAndroid Build Coastguard Worker extern void role_datum_init(role_datum_t * x); 686*2d543d20SAndroid Build Coastguard Worker extern void role_datum_destroy(role_datum_t * x); 687*2d543d20SAndroid Build Coastguard Worker extern void role_allow_rule_init(role_allow_rule_t * x); 688*2d543d20SAndroid Build Coastguard Worker extern void role_allow_rule_destroy(role_allow_rule_t * x); 689*2d543d20SAndroid Build Coastguard Worker extern void role_allow_rule_list_destroy(role_allow_rule_t * x); 690*2d543d20SAndroid Build Coastguard Worker extern void range_trans_rule_init(range_trans_rule_t *x); 691*2d543d20SAndroid Build Coastguard Worker extern void range_trans_rule_destroy(range_trans_rule_t *x); 692*2d543d20SAndroid Build Coastguard Worker extern void range_trans_rule_list_destroy(range_trans_rule_t *x); 693*2d543d20SAndroid Build Coastguard Worker extern void type_datum_init(type_datum_t * x); 694*2d543d20SAndroid Build Coastguard Worker extern void type_datum_destroy(type_datum_t * x); 695*2d543d20SAndroid Build Coastguard Worker extern void user_datum_init(user_datum_t * x); 696*2d543d20SAndroid Build Coastguard Worker extern void user_datum_destroy(user_datum_t * x); 697*2d543d20SAndroid Build Coastguard Worker extern void level_datum_init(level_datum_t * x); 698*2d543d20SAndroid Build Coastguard Worker extern void level_datum_destroy(level_datum_t * x); 699*2d543d20SAndroid Build Coastguard Worker extern void cat_datum_init(cat_datum_t * x); 700*2d543d20SAndroid Build Coastguard Worker extern void cat_datum_destroy(cat_datum_t * x); 701*2d543d20SAndroid Build Coastguard Worker extern int check_assertion(policydb_t *p, avrule_t *avrule); 702*2d543d20SAndroid Build Coastguard Worker extern int check_assertions(sepol_handle_t * handle, 703*2d543d20SAndroid Build Coastguard Worker policydb_t * p, avrule_t * avrules); 704*2d543d20SAndroid Build Coastguard Worker 705*2d543d20SAndroid Build Coastguard Worker extern int symtab_insert(policydb_t * x, uint32_t sym, 706*2d543d20SAndroid Build Coastguard Worker hashtab_key_t key, hashtab_datum_t datum, 707*2d543d20SAndroid Build Coastguard Worker uint32_t scope, uint32_t avrule_decl_id, 708*2d543d20SAndroid Build Coastguard Worker uint32_t * value); 709*2d543d20SAndroid Build Coastguard Worker 710*2d543d20SAndroid Build Coastguard Worker /* A policy "file" may be a memory region referenced by a (data, len) pair 711*2d543d20SAndroid Build Coastguard Worker or a file referenced by a FILE pointer. */ 712*2d543d20SAndroid Build Coastguard Worker typedef struct policy_file { 713*2d543d20SAndroid Build Coastguard Worker #define PF_USE_MEMORY 0 714*2d543d20SAndroid Build Coastguard Worker #define PF_USE_STDIO 1 715*2d543d20SAndroid Build Coastguard Worker #define PF_LEN 2 /* total up length in len field */ 716*2d543d20SAndroid Build Coastguard Worker unsigned type; 717*2d543d20SAndroid Build Coastguard Worker char *data; 718*2d543d20SAndroid Build Coastguard Worker size_t len; 719*2d543d20SAndroid Build Coastguard Worker size_t size; 720*2d543d20SAndroid Build Coastguard Worker FILE *fp; 721*2d543d20SAndroid Build Coastguard Worker struct sepol_handle *handle; 722*2d543d20SAndroid Build Coastguard Worker } policy_file_t; 723*2d543d20SAndroid Build Coastguard Worker 724*2d543d20SAndroid Build Coastguard Worker struct sepol_policy_file { 725*2d543d20SAndroid Build Coastguard Worker struct policy_file pf; 726*2d543d20SAndroid Build Coastguard Worker }; 727*2d543d20SAndroid Build Coastguard Worker 728*2d543d20SAndroid Build Coastguard Worker extern void policy_file_init(policy_file_t * x); 729*2d543d20SAndroid Build Coastguard Worker 730*2d543d20SAndroid Build Coastguard Worker extern int policydb_read(policydb_t * p, struct policy_file *fp, 731*2d543d20SAndroid Build Coastguard Worker unsigned int verbose); 732*2d543d20SAndroid Build Coastguard Worker extern int avrule_read_list(policydb_t * p, avrule_t ** avrules, 733*2d543d20SAndroid Build Coastguard Worker struct policy_file *fp); 734*2d543d20SAndroid Build Coastguard Worker 735*2d543d20SAndroid Build Coastguard Worker extern int policydb_write(struct policydb *p, struct policy_file *pf); 736*2d543d20SAndroid Build Coastguard Worker extern int policydb_set_target_platform(policydb_t *p, int platform); 737*2d543d20SAndroid Build Coastguard Worker 738*2d543d20SAndroid Build Coastguard Worker #define PERM_SYMTAB_SIZE 32 739*2d543d20SAndroid Build Coastguard Worker 740*2d543d20SAndroid Build Coastguard Worker /* Identify specific policy version changes */ 741*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_BASE 15 742*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_BOOL 16 743*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_IPV6 17 744*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_NLCLASS 18 745*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_VALIDATETRANS 19 746*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_MLS 19 747*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_AVTAB 20 748*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_RANGETRANS 21 749*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_POLCAP 22 750*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_PERMISSIVE 23 751*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_BOUNDARY 24 752*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_FILENAME_TRANS 25 753*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_ROLETRANS 26 754*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 755*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_DEFAULT_TYPE 28 756*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_CONSTRAINT_NAMES 29 757*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_XEN_DEVICETREE 30 /* Xen-specific */ 758*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_XPERMS_IOCTL 30 /* Linux-specific */ 759*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_INFINIBAND 31 /* Linux-specific */ 760*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_GLBLUB 32 761*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_COMP_FTRANS 33 /* compressed filename transitions */ 762*2d543d20SAndroid Build Coastguard Worker 763*2d543d20SAndroid Build Coastguard Worker /* Range of policy versions we understand*/ 764*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE 765*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_VERSION_MAX POLICYDB_VERSION_COMP_FTRANS 766*2d543d20SAndroid Build Coastguard Worker 767*2d543d20SAndroid Build Coastguard Worker /* Module versions and specific changes*/ 768*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_BASE 4 769*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_VALIDATETRANS 5 770*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_MLS 5 771*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_RANGETRANS 6 772*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_MLS_USERS 6 773*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_POLCAP 7 774*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_PERMISSIVE 8 775*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_BOUNDARY 9 776*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_BOUNDARY_ALIAS 10 777*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_FILENAME_TRANS 11 778*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_ROLETRANS 12 779*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_ROLEATTRIB 13 780*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_TUNABLE_SEP 14 781*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 15 782*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_DEFAULT_TYPE 16 783*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_CONSTRAINT_NAMES 17 784*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_XPERMS_IOCTL 18 785*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_INFINIBAND 19 786*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_GLBLUB 20 787*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_SELF_TYPETRANS 21 788*2d543d20SAndroid Build Coastguard Worker 789*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE 790*2d543d20SAndroid Build Coastguard Worker #define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_SELF_TYPETRANS 791*2d543d20SAndroid Build Coastguard Worker 792*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_CONFIG_MLS 1 793*2d543d20SAndroid Build Coastguard Worker 794*2d543d20SAndroid Build Coastguard Worker /* macros to check policy feature */ 795*2d543d20SAndroid Build Coastguard Worker 796*2d543d20SAndroid Build Coastguard Worker /* TODO: add other features here */ 797*2d543d20SAndroid Build Coastguard Worker 798*2d543d20SAndroid Build Coastguard Worker #define policydb_has_boundary_feature(p) \ 799*2d543d20SAndroid Build Coastguard Worker (((p)->policy_type == POLICY_KERN \ 800*2d543d20SAndroid Build Coastguard Worker && (p)->policyvers >= POLICYDB_VERSION_BOUNDARY) || \ 801*2d543d20SAndroid Build Coastguard Worker ((p)->policy_type != POLICY_KERN \ 802*2d543d20SAndroid Build Coastguard Worker && (p)->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY)) 803*2d543d20SAndroid Build Coastguard Worker 804*2d543d20SAndroid Build Coastguard Worker /* the config flags related to unknown classes/perms are bits 2 and 3 */ 805*2d543d20SAndroid Build Coastguard Worker #define DENY_UNKNOWN SEPOL_DENY_UNKNOWN 806*2d543d20SAndroid Build Coastguard Worker #define REJECT_UNKNOWN SEPOL_REJECT_UNKNOWN 807*2d543d20SAndroid Build Coastguard Worker #define ALLOW_UNKNOWN SEPOL_ALLOW_UNKNOWN 808*2d543d20SAndroid Build Coastguard Worker 809*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_CONFIG_UNKNOWN_MASK (DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN) 810*2d543d20SAndroid Build Coastguard Worker 811*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_CONFIG_ANDROID_NETLINK_ROUTE (1 << 31) 812*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_CONFIG_ANDROID_NETLINK_GETNEIGH (1 << 30) 813*2d543d20SAndroid Build Coastguard Worker 814*2d543d20SAndroid Build Coastguard Worker #define OBJECT_R "object_r" 815*2d543d20SAndroid Build Coastguard Worker #define OBJECT_R_VAL 1 816*2d543d20SAndroid Build Coastguard Worker 817*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_MAGIC SELINUX_MAGIC 818*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_STRING "SE Linux" 819*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_XEN_STRING "XenFlask" 820*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_STRING_MAX_LENGTH 32 821*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_MOD_MAGIC SELINUX_MOD_MAGIC 822*2d543d20SAndroid Build Coastguard Worker #define POLICYDB_MOD_STRING "SE Linux Module" 823*2d543d20SAndroid Build Coastguard Worker 824*2d543d20SAndroid Build Coastguard Worker #ifdef __cplusplus 825*2d543d20SAndroid Build Coastguard Worker } 826*2d543d20SAndroid Build Coastguard Worker #endif 827*2d543d20SAndroid Build Coastguard Worker 828*2d543d20SAndroid Build Coastguard Worker #endif /* _POLICYDB_H_ */ 829*2d543d20SAndroid Build Coastguard Worker 830*2d543d20SAndroid Build Coastguard Worker /* FLASK */ 831