Jeremy A. Mowery jmowery@tresys.com
Jason Tang jtang@tresys.com
This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Definition in file avrule_query.h.
#include <qpol/policy.h>
#include <qpol/class_perm_query.h>
#include <qpol/cond_query.h>
#include <qpol/type_query.h>
Go to the source code of this file.
Defines | |
| #define | QPOL_RULE_ALLOW 1 |
| #define | QPOL_RULE_NEVERALLOW 128 |
| #define | QPOL_RULE_AUDITALLOW 2 |
| #define | QPOL_RULE_DONTAUDIT 4 |
Typedefs | |
| typedef qpol_avrule | qpol_avrule_t |
Functions | |
| int | qpol_policy_get_avrule_iter (const qpol_policy_t *policy, uint32_t rule_type_mask, qpol_iterator_t **iter) |
| Get an iterator over all av rules in a policy of a rule type in rule_type_mask. | |
| int | qpol_avrule_get_source_type (const qpol_policy_t *policy, const qpol_avrule_t *rule, const qpol_type_t **source) |
| Get the source type from an av rule. | |
| int | qpol_avrule_get_target_type (const qpol_policy_t *policy, const qpol_avrule_t *rule, const qpol_type_t **target) |
| Get the target type from an av rule. | |
| int | qpol_avrule_get_object_class (const qpol_policy_t *policy, const qpol_avrule_t *rule, const qpol_class_t **obj_class) |
| Get the object class from an av rule. | |
| int | qpol_avrule_get_perm_iter (const qpol_policy_t *policy, const qpol_avrule_t *rule, qpol_iterator_t **perms) |
| Get an iterator over the permissions in an av rule. | |
| int | qpol_avrule_get_rule_type (const qpol_policy_t *policy, const qpol_avrule_t *rule, uint32_t *rule_type) |
| Get the rule type value for an av rule. | |
| int | qpol_avrule_get_cond (const qpol_policy_t *policy, const qpol_avrule_t *rule, const qpol_cond_t **cond) |
| Get the conditional from which an av rule comes. | |
| int | qpol_avrule_get_is_enabled (const qpol_policy_t *policy, const qpol_avrule_t *rule, uint32_t *is_enabled) |
| Determine if a rule is enabled. | |
| int | qpol_avrule_get_which_list (const qpol_policy_t *policy, const qpol_avrule_t *rule, uint32_t *which_list) |
| Get the list (true or false) in which a conditional rule is. | |
|
|
|
Definition at line 43 of file avrule_query.h. Referenced by apol_avrule_render(), apol_rule_type_to_str(), apol_syn_avrule_get_by_query(), apol_syn_avrule_render(), avrule_get_items(), avrule_get_items_neverallow(), print_stats(), qpol_avrule_get_rule_type(), qpol_cond_get_av_false_iter(), and qpol_cond_get_av_true_iter(). |
|
|
|
Definition at line 46 of file avrule_query.h. Referenced by apol_rule_type_to_str(), avrule_basic_syn(), avrule_get_items_dontaudit(), policy_view_stats_update(), print_stats(), qpol_avrule_get_syn_avrule_iter(), and spurious_audit_run(). |
|
|
||||||||||||||||
|
Get an iterator over all av rules in a policy of a rule type in rule_type_mask. It is an error to call this function if rules are not loaded. Likewise, it is an error if neverallows are requested but they were not loaded.
Definition at line 36 of file avrule_query.c. References avtab_state_next(), avtab_state_t, avtab_state::cond_tab, ERR, avtab_state::node, qpol_policy::p, QPOL_CAP_NEVERALLOW, QPOL_CAP_RULES_LOADED, qpol_iterator_create(), qpol_iterator_t, qpol_policy_has_capability(), qpol_policy_t, avtab_state::rule_type_mask, and avtab_state::ucond_tab. Referenced by apol_infoflow_graph_create(), avrule_get_items(), policy_view_stats_update(), print_stats(), qpol_policy_add_cond_rule_traceback(), and rule_select(). 00037 {
00038 policydb_t *db;
00039 avtab_state_t *state;
00040
00041 if (iter) {
00042 *iter = NULL;
00043 }
00044 if (policy == NULL || iter == NULL) {
00045 ERR(policy, "%s", strerror(EINVAL));
00046 errno = EINVAL;
00047 return STATUS_ERR;
00048 }
00049
00050 if (!qpol_policy_has_capability(policy, QPOL_CAP_RULES_LOADED)) {
00051 ERR(policy, "%s", "Cannot get avrules: Rules not loaded");
00052 errno = ENOTSUP;
00053 return STATUS_ERR;
00054 }
00055
00056 if ((rule_type_mask & QPOL_RULE_NEVERALLOW) && !qpol_policy_has_capability(policy, QPOL_CAP_NEVERALLOW)) {
00057 ERR(policy, "%s", "Cannot get avrules: Neverallow rules requested but not available");
00058 errno = ENOTSUP;
00059 return STATUS_ERR;
00060 }
00061
00062 db = &policy->p->p;
00063
00064 state = calloc(1, sizeof(avtab_state_t));
00065 if (state == NULL) {
00066 ERR(policy, "%s", strerror(ENOMEM));
00067 errno = ENOMEM;
00068 return STATUS_ERR;
00069 }
00070 state->ucond_tab = &db->te_avtab;
00071 state->cond_tab = &db->te_cond_avtab;
00072 state->rule_type_mask = rule_type_mask;
00073 state->node = db->te_avtab.htable[0];
00074
00075 if (qpol_iterator_create
00076 (policy, state, avtab_state_get_cur, avtab_state_next, avtab_state_end, avtab_state_size, free, iter)) {
00077 free(state);
00078 return STATUS_ERR;
00079 }
00080 if (state->node == NULL || !(state->node->key.specified & state->rule_type_mask)) {
00081 avtab_state_next(*iter);
00082 }
00083 return STATUS_SUCCESS;
00084 }
|
|
||||||||||||||||
|
Get the source type from an av rule.
Definition at line 86 of file avrule_query.c. References ERR, qpol_policy::p, qpol_policy_t, and qpol_type_t. Referenced by apol_avrule_render(), apol_infoflow_graph_check_types(), apol_infoflow_graph_connect_nodes(), append_avrules_to_object_vector(), avrule_expand(), find_net_domains_run(), inc_mount_run(), qpol_avrule_get_syn_avrule_iter(), relabel_analysis_matchup(), rule_select(), spurious_audit_run(), and table_add_avrule(). 00087 {
00088 policydb_t *db = NULL;
00089 avtab_ptr_t avrule = NULL;
00090
00091 if (source) {
00092 *source = NULL;
00093 }
00094
00095 if (!policy || !rule || !source) {
00096 ERR(policy, "%s", strerror(EINVAL));
00097 errno = EINVAL;
00098 return STATUS_ERR;
00099 }
00100
00101 db = &policy->p->p;
00102 avrule = (avtab_ptr_t) rule;
00103
00104 *source = (qpol_type_t *) db->type_val_to_struct[avrule->key.source_type - 1];
00105
00106 return STATUS_SUCCESS;
00107 }
|
|
||||||||||||||||
|
Get the target type from an av rule.
Definition at line 109 of file avrule_query.c. References ERR, qpol_policy::p, qpol_policy_t, and qpol_type_t. Referenced by apol_avrule_render(), apol_infoflow_graph_check_types(), apol_infoflow_graph_connect_nodes(), apol_types_relation_access_append_rule(), append_avrule_to_subject_vector(), append_avrules_to_object_vector(), avrule_expand(), inc_mount_run(), inc_net_access_run(), qpol_avrule_get_syn_avrule_iter(), relabel_analysis_matchup(), rule_select(), spurious_audit_run(), and table_add_avrule(). 00110 {
00111 policydb_t *db = NULL;
00112 avtab_ptr_t avrule = NULL;
00113
00114 if (target) {
00115 *target = NULL;
00116 }
00117
00118 if (!policy || !rule || !target) {
00119 ERR(policy, "%s", strerror(EINVAL));
00120 errno = EINVAL;
00121 return STATUS_ERR;
00122 }
00123
00124 db = &policy->p->p;
00125 avrule = (avtab_ptr_t) rule;
00126
00127 *target = (qpol_type_t *) db->type_val_to_struct[avrule->key.target_type - 1];
00128
00129 return STATUS_SUCCESS;
00130 }
|
|
||||||||||||||||
|
Get the object class from an av rule.
Definition at line 132 of file avrule_query.c. References ERR, qpol_policy::p, qpol_class_t, and qpol_policy_t. Referenced by apol_avrule_render(), apol_infoflow_graph_check_class_perms(), apol_infoflow_graph_create_avrule(), avrule_add_to_bst(), find_domains_run(), find_net_domains_run(), qpol_avrule_get_syn_avrule_iter(), relabel_analysis_matchup(), rule_select(), and spurious_audit_run(). 00133 {
00134 policydb_t *db = NULL;
00135 avtab_ptr_t avrule = NULL;
00136
00137 if (obj_class) {
00138 *obj_class = NULL;
00139 }
00140
00141 if (!policy || !rule || !obj_class) {
00142 ERR(policy, "%s", strerror(EINVAL));
00143 errno = EINVAL;
00144 return STATUS_ERR;
00145 }
00146
00147 db = &policy->p->p;
00148 avrule = (avtab_ptr_t) rule;
00149
00150 *obj_class = (qpol_class_t *) db->class_val_to_struct[avrule->key.target_class - 1];
00151
00152 return STATUS_SUCCESS;
00153 }
|
|
||||||||||||||||
|
Get an iterator over the permissions in an av rule.
Definition at line 155 of file avrule_query.c. References ERR, perm_state::obj_class_val, qpol_policy::p, perm_state::perm_set, perm_state_end(), perm_state_get_cur(), perm_state_next(), perm_state_size(), perm_state_t, qpol_iterator_create(), qpol_iterator_t, and qpol_policy_t. Referenced by apol_avrule_render(), apol_infoflow_graph_check_class_perms(), apol_infoflow_graph_create_avrule(), avrule_add_to_bst(), inc_net_access_run(), relabel_analysis_get_direction(), rule_select(), spurious_audit_run(), and table_add_avrule(). 00156 {
00157 policydb_t *db = NULL;
00158 avtab_ptr_t avrule = NULL;
00159 perm_state_t *ps = NULL;
00160
00161 if (perms) {
00162 *perms = NULL;
00163 }
00164
00165 if (!policy || !rule || !perms) {
00166 ERR(policy, "%s", strerror(EINVAL));
00167 errno = EINVAL;
00168 return STATUS_ERR;
00169 }
00170
00171 db = &policy->p->p;
00172 avrule = (avtab_ptr_t) rule;
00173 ps = calloc(1, sizeof(perm_state_t));
00174 if (!ps) {
00175 return STATUS_ERR;
00176 }
00177 if (avrule->key.specified & QPOL_RULE_DONTAUDIT) {
00178 ps->perm_set = ~(avrule->datum.data); /* stored as auditdeny flip the bits */
00179 } else {
00180 ps->perm_set = avrule->datum.data;
00181 }
00182 ps->obj_class_val = avrule->key.target_class;
00183
00184 if (qpol_iterator_create(policy, (void *)ps, perm_state_get_cur,
00185 perm_state_next, perm_state_end, perm_state_size, free, perms)) {
00186 return STATUS_ERR;
00187 }
00188
00189 if (!(ps->perm_set & 1)) /* defaults to bit 0, if off: advance */
00190 perm_state_next(*perms);
00191
00192 return STATUS_SUCCESS;
00193 }
|
|
||||||||||||||||
|
Get the rule type value for an av rule.
Definition at line 195 of file avrule_query.c. References ERR, qpol_policy::p, qpol_policy_t, QPOL_RULE_ALLOW, QPOL_RULE_AUDITALLOW, and QPOL_RULE_NEVERALLOW. Referenced by apol_avrule_render(), avrule_add_to_bst(), qpol_avrule_get_syn_avrule_iter(), spurious_audit_print(), and types_wo_allow_run(). 00196 {
00197 policydb_t *db = NULL;
00198 avtab_ptr_t avrule = NULL;
00199
00200 if (rule_type) {
00201 *rule_type = 0;
00202 }
00203
00204 if (!policy || !rule || !rule_type) {
00205 ERR(policy, "%s", strerror(EINVAL));
00206 errno = EINVAL;
00207 return STATUS_ERR;
00208 }
00209
00210 db = &policy->p->p;
00211 avrule = (avtab_ptr_t) rule;
00212
00213 *rule_type =
00214 (avrule->key.specified & (QPOL_RULE_ALLOW | QPOL_RULE_NEVERALLOW | QPOL_RULE_AUDITALLOW | QPOL_RULE_DONTAUDIT));
00215
00216 return STATUS_SUCCESS;
00217 }
|
|
||||||||||||||||
|
Get the conditional from which an av rule comes. If the rule is not a conditional rule *cond is set to NULL.
Definition at line 219 of file avrule_query.c. References ERR, qpol_cond_t, and qpol_policy_t. Referenced by avrule_add_to_bst(), print_av_results(), qpol_avrule_get_syn_avrule_iter(), and rule_select(). 00220 {
00221 avtab_ptr_t avrule = NULL;
00222
00223 if (cond) {
00224 *cond = NULL;
00225 }
00226
00227 if (!policy || !rule || !cond) {
00228 ERR(policy, "%s", strerror(EINVAL));
00229 errno = EINVAL;
00230 return STATUS_ERR;
00231 }
00232
00233 avrule = (avtab_ptr_t) rule;
00234
00235 *cond = (qpol_cond_t *) avrule->parse_context;
00236
00237 return STATUS_SUCCESS;
00238 }
|
|
||||||||||||||||
|
Determine if a rule is enabled. Unconditional rules are always enabled.
Definition at line 240 of file avrule_query.c. References ERR, and qpol_policy_t. Referenced by print_av_results(), and rule_select(). 00241 {
00242 avtab_ptr_t avrule = NULL;
00243
00244 if (is_enabled) {
00245 *is_enabled = 0;
00246 }
00247
00248 if (!policy || !rule || !is_enabled) {
00249 ERR(policy, "%s", strerror(EINVAL));
00250 errno = EINVAL;
00251 return STATUS_ERR;
00252 }
00253
00254 avrule = (avtab_ptr_t) rule;
00255
00256 *is_enabled = ((avrule->merged & QPOL_COND_RULE_ENABLED) ? 1 : 0);
00257
00258 return STATUS_SUCCESS;
00259 }
|
|
||||||||||||||||
|
Get the list (true or false) in which a conditional rule is. It is an error to call this function for an unconditional rule.
Definition at line 261 of file avrule_query.c. References ERR, and qpol_policy_t. Referenced by avrule_add_to_bst(), and print_av_results(). 00262 {
00263 avtab_ptr_t avrule = NULL;
00264
00265 if (which_list) {
00266 *which_list = 0;
00267 }
00268
00269 if (!policy || !rule || !which_list) {
00270 ERR(policy, "%s", strerror(EINVAL));
00271 errno = EINVAL;
00272 return STATUS_ERR;
00273 }
00274
00275 avrule = (avtab_ptr_t) rule;
00276
00277 if (!avrule->parse_context) {
00278 ERR(policy, "%s", strerror(EINVAL));
00279 errno = EINVAL;
00280 return STATUS_ERR;
00281 }
00282
00283 *which_list = ((avrule->merged & QPOL_COND_RULE_LIST) ? 1 : 0);
00284
00285 return STATUS_SUCCESS;
00286 }
|
