00001 /** 00002 * @file 00003 * Defines the public interface the QPol policy. 00004 * 00005 * @author Jeremy A. Mowery jmowery@tresys.com 00006 * @author Jason Tang jtang@tresys.com 00007 * @author Brandon Whalen bwhalen@tresys.com 00008 * 00009 * Copyright (C) 2006-2008 Tresys Technology, LLC 00010 * 00011 * This library is free software; you can redistribute it and/or 00012 * modify it under the terms of the GNU Lesser General Public 00013 * License as published by the Free Software Foundation; either 00014 * version 2.1 of the License, or (at your option) any later version. 00015 * 00016 * This library is distributed in the hope that it will be useful, 00017 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00018 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 00019 * Lesser General Public License for more details. 00020 * 00021 * You should have received a copy of the GNU Lesser General Public 00022 * License along with this library; if not, write to the Free Software 00023 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 00024 */ 00025 00026 #ifndef QPOL_POLICY_H 00027 #define QPOL_POLICY_H 00028 00029 #ifdef __cplusplus 00030 extern "C" 00031 { 00032 #endif 00033 00034 #include <stdarg.h> 00035 #include <stdint.h> 00036 00037 typedef struct qpol_policy qpol_policy_t; 00038 00039 #include <qpol/avrule_query.h> 00040 #include <qpol/bool_query.h> 00041 #include <qpol/class_perm_query.h> 00042 #include <qpol/cond_query.h> 00043 #include <qpol/constraint_query.h> 00044 #include <qpol/context_query.h> 00045 #include <qpol/fs_use_query.h> 00046 #include <qpol/isid_query.h> 00047 #include <qpol/iterator.h> 00048 #include <qpol/genfscon_query.h> 00049 #include <qpol/mls_query.h> 00050 #include <qpol/mlsrule_query.h> 00051 #include <qpol/module.h> 00052 #include <qpol/netifcon_query.h> 00053 #include <qpol/nodecon_query.h> 00054 #include <qpol/portcon_query.h> 00055 #include <qpol/rbacrule_query.h> 00056 #include <qpol/role_query.h> 00057 #include <qpol/syn_rule_query.h> 00058 #include <qpol/terule_query.h> 00059 #include <qpol/type_query.h> 00060 #include <qpol/user_query.h> 00061 00062 typedef void (*qpol_callback_fn_t) (void *varg, const struct qpol_policy * policy, int level, const char *fmt, 00063 va_list va_args); 00064 00065 #define QPOL_POLICY_UNKNOWN -1 00066 #define QPOL_POLICY_KERNEL_SOURCE 0 00067 #define QPOL_POLICY_KERNEL_BINARY 1 00068 #define QPOL_POLICY_MODULE_BINARY 2 00069 00070 /** 00071 * When loading the policy, do not load neverallow rules. 00072 */ 00073 #define QPOL_POLICY_OPTION_NO_NEVERALLOWS 0x00000001 00074 00075 /** 00076 * When loading the policy, do not load any rules; 00077 * this option implies QPOL_POLICY_OPTION_NO_NEVERALLOWS. 00078 */ 00079 #define QPOL_POLICY_OPTION_NO_RULES 0x00000002 00080 00081 /** 00082 * When loading the policy, attempt to interpret it as the way the 00083 * running system would. If the policy is of a version higher than 00084 * one supported by the system, then the policy will be downgraded to 00085 * the system's maximum value. 00086 */ 00087 #define QPOL_POLICY_OPTION_MATCH_SYSTEM 0x00000004 00088 00089 /** 00090 * List of capabilities a policy may have. This list represents 00091 * features of policy that may differ from version to version or 00092 * based upon the format of the policy file. Note that "polcaps" in 00093 * this case refers to "policy capabilities" that were introduced 00094 * with version 22 policies. 00095 */ 00096 typedef enum qpol_capability 00097 { 00098 /** The policy format stores the names of attributes. */ 00099 QPOL_CAP_ATTRIB_NAMES, 00100 /** The policy format stores the syntactic rule type sets. */ 00101 QPOL_CAP_SYN_RULES, 00102 /** The policy format stores rule line numbers (implies QPOL_CAP_SYN_RULES). */ 00103 QPOL_CAP_LINE_NUMBERS, 00104 /** The policy version supports booleans and conditional statements. */ 00105 QPOL_CAP_CONDITIONALS, 00106 /** The policy version supports MLS components and statements. */ 00107 QPOL_CAP_MLS, 00108 /** The policy version has policy capabilities (polcaps). */ 00109 QPOL_CAP_POLCAPS, 00110 /** The policy format supports linking loadable modules. */ 00111 QPOL_CAP_MODULES, 00112 /** The policy was loaded with av/te rules. */ 00113 QPOL_CAP_RULES_LOADED, 00114 /** The policy source may be displayed. */ 00115 QPOL_CAP_SOURCE, 00116 /** The policy supports and was loaded with neverallow rules. */ 00117 QPOL_CAP_NEVERALLOW 00118 } qpol_capability_e; 00119 00120 /** 00121 * Open a policy from a passed in file path. 00122 * @param filename The name of the file to open. 00123 * @param policy The policy to populate. The caller should not free 00124 * this pointer. 00125 * @param fn (Optional) If non-NULL, the callback to be used by the handle. 00126 * @param varg (Optional) The argument needed by the handle callback. 00127 * @param options Options to control loading only portions of a policy; 00128 * must be a bitwise-or'd set of QPOL_POLICY_OPTION_* from above. 00129 * @return Returns one of QPOL_POLICY_KERNEL_SOURCE, 00130 * QPOL_POLICY_KERNEL_BINARY, or QPOL_POLICY_MODULE_BINARY on success 00131 * and < 0 on failure; if the call fails, errno will be set and 00132 * *policy will be NULL. 00133 */ 00134 extern int qpol_policy_open_from_file(const char *filename, qpol_policy_t ** policy, qpol_callback_fn_t fn, void *varg, 00135 const int options); 00136 00137 /** 00138 * Open a policy from a passed in file path but do not load any rules. 00139 * @param filename The name of the file to open. 00140 * @param policy The policy to populate. The caller should not free 00141 * this pointer. 00142 * @param fn (Optional) If non-NULL, the callback to be used by the handle. 00143 * @param varg (Optional) The argument needed by the handle callback. 00144 * @return Returns one of QPOL_POLICY_* above on success and < 0 on failure; 00145 * if the call fails, errno will be set and *policy will be NULL. 00146 * @deprecated use qpol_policy_open_from_file() with the option QPOL_POLICY_OPTION_NO_RULES instead. 00147 */ 00148 extern int qpol_policy_open_from_file_no_rules(const char *filename, qpol_policy_t ** policy, qpol_callback_fn_t fn, 00149 void *varg) __attribute__ ((deprecated)); 00150 00151 /** 00152 * Open a policy from a passed in buffer. 00153 * @param policy The policy to populate. The caller should not free 00154 * this pointer. 00155 * @param filedata The policy file stored in memory . 00156 * @param size The size of filedata 00157 * @param fn (Optional) If non-NULL, the callback to be used by the handle. 00158 * @param varg (Optional) The argument needed by the handle callback. 00159 * @param options Options to control loading only portions of a policy; 00160 * must be a bitwise-or'd set of QPOL_POLICY_OPTION_* from above. 00161 * @return Returns 0 on success and < 0 on failure; if the call fails, 00162 * errno will be set and *policy will be NULL. 00163 */ 00164 extern int qpol_policy_open_from_memory(qpol_policy_t ** policy, const char *filedata, size_t size, qpol_callback_fn_t fn, 00165 void *varg, const int options); 00166 00167 /** 00168 * Close a policy and deallocate its memory. Does nothing if it is 00169 * already NULL. 00170 * @param policy Reference to the policy to close. The pointer will 00171 * be set to NULL afterwards. 00172 */ 00173 extern void qpol_policy_destroy(qpol_policy_t ** policy); 00174 00175 /** 00176 * Re-evaluate all conditionals in the policy updating the state 00177 * and setting the appropriate rule list as emabled for each. 00178 * This call modifies the policy. 00179 * @param policy The policy for which to re-evaluate the conditionals. 00180 * This policy will be modified by this function. 00181 * @return 0 on success and < 0 on failure; if the call fails, 00182 * errno will be set. On failure, the policy state may be inconsistent. 00183 */ 00184 extern int qpol_policy_reevaluate_conds(qpol_policy_t * policy); 00185 00186 /** 00187 * Append a module to a policy. The policy now owns the module. 00188 * Note that the caller must still invoke qpol_policy_rebuild() 00189 * to update the policy. 00190 * @param policy The policy to which to add the module. 00191 * @param module The module to append. <b>The caller should not 00192 * destroy this module if this function succeeds.</b> 00193 * @return 0 on success and < 0 on failure; if the call fails, 00194 * errno will be set and both the policy and the module will 00195 * remain unchanged. If the call fails, the caller is still 00196 * responsible for calling qpol_module_destroy(). 00197 */ 00198 extern int qpol_policy_append_module(qpol_policy_t * policy, qpol_module_t * module); 00199 00200 /** 00201 * Rebuild the policy. If the options provided are the same as those 00202 * provied to the last call to rebuild or open and the modules were not 00203 * changed, this function does nothing; otherwise, re-link all enabled 00204 * modules with the base and then call expand. If the syntactic rule 00205 * table was previously built, the caller should call 00206 * qpol_policy_build_syn_rule_table() after calling this function. 00207 * @param policy The policy to rebuild. 00208 * This policy will be altered by this function. 00209 * @param options Options to control loading only portions of a policy; 00210 * must be a bitwise-or'd set of QPOL_POLICY_OPTION_* from above. 00211 * @return 0 on success and < 0 on failure; if the call fails, 00212 * errno will be set and the policy will be reverted to its previous state. 00213 */ 00214 extern int qpol_policy_rebuild(qpol_policy_t * policy, const int options); 00215 00216 /** 00217 * Get an iterator of all modules in a policy. 00218 * @param policy The policy from which to get the iterator. 00219 * @param iter Iteraror of modules (of type qpol_module_t) returned. 00220 * The caller should not destroy the modules returned by 00221 * qpol_iterator_get_item(). 00222 * @return 0 on success and < 0 on failure; if the call fails, 00223 * errno will be set and *iter will be NULL. 00224 */ 00225 extern int qpol_policy_get_module_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); 00226 00227 /** 00228 * Get the version number of the policy. 00229 * @param policy The policy for which to get the version. 00230 * @param version Pointer to the integer to set to the version number. 00231 * @return Returns 0 on success and < 0 on failure; if the call fails, 00232 * errno will be set and *version will be 0. 00233 */ 00234 extern int qpol_policy_get_policy_version(const qpol_policy_t * policy, unsigned int *version); 00235 00236 /** 00237 * Get the type of policy (source, binary, or module). 00238 * @param policy The policy from which to get the type. 00239 * @param type Pointer to the integer in which to store the type. 00240 * Value will be one of QPOL_POLICY_* from above. 00241 * @return 0 on success and < 0 on failure; if the call fails, 00242 * errno will be set and *type will be QPOL_POLICY_UNKNOWN. 00243 */ 00244 extern int qpol_policy_get_type(const qpol_policy_t * policy, int *type); 00245 00246 /** 00247 * Determine if a policy has support for a specific capability. 00248 * @param policy The policy to check. 00249 * @param cap The capability for which to check. Must be one of QPOL_CAP_* 00250 * defined above. 00251 * @return Non-zero if the policy has the specified capability, and zero otherwise. 00252 */ 00253 extern int qpol_policy_has_capability(const qpol_policy_t * policy, qpol_capability_e cap); 00254 00255 #ifdef __cplusplus 00256 } 00257 #endif 00258 00259 #endif
