Jeremy A. Mowery jmowery@tresys.com
Jason Tang jtang@tresys.com
This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Definition in file cond_query.h.
#include <qpol/policy.h>
#include <qpol/bool_query.h>
#include <qpol/iterator.h>
Go to the source code of this file.
Defines | |
| #define | QPOL_COND_RULE_LIST 0x00000001 |
| #define | QPOL_COND_RULE_ENABLED 0x00000002 |
| #define | QPOL_COND_EXPR_BOOL 1 |
| #define | QPOL_COND_EXPR_NOT 2 |
| #define | QPOL_COND_EXPR_OR 3 |
| #define | QPOL_COND_EXPR_AND 4 |
| #define | QPOL_COND_EXPR_XOR 5 |
| #define | QPOL_COND_EXPR_EQ 6 |
| #define | QPOL_COND_EXPR_NEQ 7 |
Typedefs | |
| typedef qpol_cond | qpol_cond_t |
| typedef qpol_cond_expr_node | qpol_cond_expr_node_t |
Functions | |
| int | qpol_policy_get_cond_iter (const qpol_policy_t *policy, qpol_iterator_t **iter) |
| Get an iterator over all conditionals in a policy. | |
| int | qpol_cond_get_expr_node_iter (const qpol_policy_t *policy, const qpol_cond_t *cond, qpol_iterator_t **iter) |
| Get an iterator over the nodes in a conditional expression. | |
| int | qpol_cond_get_av_true_iter (const qpol_policy_t *policy, const qpol_cond_t *cond, uint32_t rule_type_mask, qpol_iterator_t **iter) |
| Get an iterator over all av rules in a conditional's true list of a rule type in rule_type_mask. | |
| int | qpol_cond_get_te_true_iter (const qpol_policy_t *policy, const qpol_cond_t *cond, uint32_t rule_type_mask, qpol_iterator_t **iter) |
| Get an iterator over all type rules in a conditional's true list of a rule type in rule_type_mask. | |
| int | qpol_cond_get_av_false_iter (const qpol_policy_t *policy, const qpol_cond_t *cond, uint32_t rule_type_mask, qpol_iterator_t **iter) |
| Get an iterator over all av rules in a conditional's false list of a rule type in rule_type_mask. | |
| int | qpol_cond_get_te_false_iter (const qpol_policy_t *policy, const qpol_cond_t *cond, uint32_t rule_type_mask, qpol_iterator_t **iter) |
| Get an iterator over all type rules in a conditional's false list of a rule type in rule_type_mask. | |
| int | qpol_cond_eval (const qpol_policy_t *policy, const qpol_cond_t *cond, uint32_t *is_true) |
| Evaluate the expression of a conditional using current boolean values in the policy. | |
| int | qpol_cond_expr_node_get_expr_type (const qpol_policy_t *policy, const qpol_cond_expr_node_t *node, uint32_t *expr_type) |
| Get the type of an expression node. | |
| int | qpol_cond_expr_node_get_bool (const qpol_policy_t *policy, const qpol_cond_expr_node_t *node, qpol_bool_t **cond_bool) |
| Get the boolean used in an expression node. | |
|
|
Definition at line 72 of file cond_query.h. |
|
|
Definition at line 73 of file cond_query.h. |
|
|
Definition at line 160 of file cond_query.h. Referenced by apol_cond_expr_type_to_str(). |
|
|
Definition at line 161 of file cond_query.h. Referenced by apol_cond_expr_type_to_str(). |
|
|
Definition at line 162 of file cond_query.h. Referenced by apol_cond_expr_type_to_str(). |
|
|
Definition at line 163 of file cond_query.h. Referenced by apol_cond_expr_type_to_str(). |
|
|
Definition at line 164 of file cond_query.h. Referenced by apol_cond_expr_type_to_str(). |
|
|
Definition at line 165 of file cond_query.h. Referenced by apol_cond_expr_type_to_str(). |
|
|
Definition at line 166 of file cond_query.h. Referenced by apol_cond_expr_type_to_str(). |
|
|
|
Definition at line 40 of file cond_query.h. Referenced by apol_compare_cond_expr(), apol_cond_expr_render(), avrule_build_cond(), and terule_build_cond(). |
|
||||||||||||
|
Get an iterator over all conditionals in a policy. It is an error to call this function if rules are not loaded.
Definition at line 107 of file cond_query.c. References cond_state_end(), cond_state_get_cur(), cond_state_next(), cond_state_size(), cond_state_t, cond_state::cur, ERR, cond_state::head, qpol_policy::p, QPOL_CAP_RULES_LOADED, qpol_iterator_create(), qpol_iterator_t, qpol_policy_has_capability(), and qpol_policy_t. Referenced by apol_cond_get_by_query(), and print_stats(). 00108 {
00109 int error = 0;
00110 cond_state_t *cs = NULL;
00111 policydb_t *db = NULL;
00112
00113 if (iter)
00114 *iter = NULL;
00115
00116 if (!policy || !iter) {
00117 ERR(policy, "%s", strerror(EINVAL));
00118 errno = EINVAL;
00119 return STATUS_ERR;
00120 }
00121
00122 if (!qpol_policy_has_capability(policy, QPOL_CAP_RULES_LOADED)) {
00123 ERR(policy, "%s", "Cannot get conditionals: Rules not loaded");
00124 errno = ENOTSUP;
00125 return STATUS_ERR;
00126 }
00127
00128 db = &policy->p->p;
00129
00130 if (!(cs = calloc(1, sizeof(cond_state_t)))) {
00131 error = errno;
00132 ERR(policy, "%s", strerror(error));
00133 goto err;
00134 }
00135 cs->head = cs->cur = db->cond_list;
00136
00137 if (qpol_iterator_create(policy, (void *)cs,
00138 cond_state_get_cur, cond_state_next, cond_state_end, cond_state_size, free, iter)) {
00139 error = errno;
00140 goto err;
00141 }
00142
00143 return STATUS_SUCCESS;
00144
00145 err:
00146 free(cs);
00147 errno = error;
00148 return STATUS_ERR;
00149 }
|
|
||||||||||||||||
|
Get an iterator over the nodes in a conditional expression. Each node represents a single token of the expression in RPN.
Definition at line 217 of file cond_query.c. References cond_expr_state_end(), cond_expr_state_get_cur(), cond_expr_state_next(), cond_expr_state_size(), cond_expr_state_t, cond_expr_state::cur, ERR, cond_expr_state::head, qpol_policy::p, qpol_iterator_create(), qpol_iterator_t, and qpol_policy_t. Referenced by apol_compare_cond_expr(), apol_cond_expr_render(), avrule_build_cond(), print_te_results(), and terule_build_cond(). 00218 {
00219 int error = 0;
00220 cond_expr_state_t *ces = NULL;
00221 cond_node_t *internal_cond = NULL;
00222 policydb_t *db = NULL;
00223
00224 if (iter)
00225 *iter = NULL;
00226
00227 if (!policy || !cond || !iter) {
00228 ERR(policy, "%s", strerror(EINVAL));
00229 errno = EINVAL;
00230 return STATUS_ERR;
00231 }
00232
00233 db = &policy->p->p;
00234 internal_cond = (cond_node_t *) cond;
00235
00236 if (!(ces = calloc(1, sizeof(cond_expr_state_t)))) {
00237 error = errno;
00238 ERR(policy, "%s", strerror(error));
00239 goto err;
00240 }
00241 ces->head = ces->cur = internal_cond->expr;
00242
00243 if (qpol_iterator_create(policy, (void *)ces,
00244 cond_expr_state_get_cur, cond_expr_state_next, cond_expr_state_end,
00245 cond_expr_state_size, free, iter)) {
00246 error = errno;
00247 goto err;
00248 }
00249
00250 return STATUS_SUCCESS;
00251
00252 err:
00253 free(ces);
00254 errno = error;
00255 return STATUS_ERR;
00256 }
|
|
||||||||||||||||||||
|
Get an iterator over all av rules in a conditional's true list of a rule type in rule_type_mask.
Definition at line 329 of file cond_query.c. References cond_rule_state_end(), cond_rule_state_get_cur(), cond_rule_state_next(), cond_rule_state_size(), cond_rule_state_t, cond_rule_state::cur, ERR, cond_rule_state::head, qpol_policy::p, qpol_iterator_create(), qpol_iterator_next(), qpol_iterator_t, qpol_policy_t, QPOL_RULE_ALLOW, QPOL_RULE_AUDITALLOW, QPOL_RULE_NEVERALLOW, and cond_rule_state::rule_type_mask. 00331 {
00332 int error = 0;
00333 cond_rule_state_t *crs = NULL;
00334 cond_node_t *internal_cond = NULL;
00335 policydb_t *db = NULL;
00336
00337 if (iter)
00338 *iter = NULL;
00339
00340 if (!policy || !cond || !iter) {
00341 ERR(policy, "%s", strerror(EINVAL));
00342 errno = EINVAL;
00343 return STATUS_ERR;
00344 }
00345
00346 if (rule_type_mask & ~(QPOL_RULE_ALLOW | QPOL_RULE_NEVERALLOW | QPOL_RULE_AUDITALLOW | QPOL_RULE_DONTAUDIT)) {
00347 ERR(policy, "%s", strerror(EINVAL));
00348 errno = EINVAL;
00349 return STATUS_ERR;
00350 }
00351
00352 db = &policy->p->p;
00353 internal_cond = (cond_node_t *) cond;
00354
00355 if (!(crs = calloc(1, sizeof(cond_rule_state_t)))) {
00356 error = errno;
00357 ERR(policy, "%s", strerror(error));
00358 goto err;
00359 }
00360 crs->head = crs->cur = internal_cond->true_list;
00361 crs->rule_type_mask = rule_type_mask;
00362
00363 if (qpol_iterator_create(policy, (void *)crs,
00364 cond_rule_state_get_cur, cond_rule_state_next, cond_rule_state_end,
00365 cond_rule_state_size, free, iter)) {
00366 error = errno;
00367 goto err;
00368 }
00369
00370 if (crs->cur && !(crs->cur->node->key.specified & crs->rule_type_mask))
00371 qpol_iterator_next(*iter);
00372
00373 return STATUS_SUCCESS;
00374
00375 err:
00376 free(crs);
00377 errno = error;
00378 return STATUS_ERR;
00379 }
|
|
||||||||||||||||||||
|
Get an iterator over all type rules in a conditional's true list of a rule type in rule_type_mask.
Definition at line 381 of file cond_query.c. References cond_rule_state_end(), cond_rule_state_get_cur(), cond_rule_state_next(), cond_rule_state_size(), cond_rule_state_t, cond_rule_state::cur, ERR, cond_rule_state::head, qpol_policy::p, qpol_iterator_create(), qpol_iterator_next(), qpol_iterator_t, qpol_policy_t, QPOL_RULE_TYPE_CHANGE, QPOL_RULE_TYPE_TRANS, and cond_rule_state::rule_type_mask. 00383 {
00384 int error = 0;
00385 cond_rule_state_t *crs = NULL;
00386 cond_node_t *internal_cond = NULL;
00387 policydb_t *db = NULL;
00388
00389 if (iter)
00390 *iter = NULL;
00391
00392 if (!policy || !cond || !iter) {
00393 ERR(policy, "%s", strerror(EINVAL));
00394 errno = EINVAL;
00395 return STATUS_ERR;
00396 }
00397
00398 if (rule_type_mask & ~(QPOL_RULE_TYPE_TRANS | QPOL_RULE_TYPE_CHANGE | QPOL_RULE_TYPE_MEMBER)) {
00399 ERR(policy, "%s", strerror(EINVAL));
00400 errno = EINVAL;
00401 return STATUS_ERR;
00402 }
00403
00404 db = &policy->p->p;
00405 internal_cond = (cond_node_t *) cond;
00406
00407 if (!(crs = calloc(1, sizeof(cond_rule_state_t)))) {
00408 error = errno;
00409 ERR(policy, "%s", strerror(error));
00410 goto err;
00411 }
00412 crs->head = crs->cur = internal_cond->true_list;
00413 crs->rule_type_mask = rule_type_mask;
00414
00415 if (qpol_iterator_create(policy, (void *)crs,
00416 cond_rule_state_get_cur, cond_rule_state_next, cond_rule_state_end,
00417 cond_rule_state_size, free, iter)) {
00418 error = errno;
00419 goto err;
00420 }
00421
00422 if (crs->cur && !(crs->cur->node->key.specified & crs->rule_type_mask))
00423 qpol_iterator_next(*iter);
00424
00425 return STATUS_SUCCESS;
00426
00427 err:
00428 free(crs);
00429 errno = error;
00430 return STATUS_ERR;
00431 }
|
|
||||||||||||||||||||
|
Get an iterator over all av rules in a conditional's false list of a rule type in rule_type_mask.
Definition at line 433 of file cond_query.c. References cond_rule_state_end(), cond_rule_state_get_cur(), cond_rule_state_next(), cond_rule_state_size(), cond_rule_state_t, cond_rule_state::cur, ERR, cond_rule_state::head, qpol_policy::p, qpol_iterator_create(), qpol_iterator_next(), qpol_iterator_t, qpol_policy_t, QPOL_RULE_ALLOW, QPOL_RULE_AUDITALLOW, QPOL_RULE_NEVERALLOW, and cond_rule_state::rule_type_mask. 00435 {
00436 int error = 0;
00437 cond_rule_state_t *crs = NULL;
00438 cond_node_t *internal_cond = NULL;
00439 policydb_t *db = NULL;
00440
00441 if (iter)
00442 *iter = NULL;
00443
00444 if (!policy || !cond || !iter) {
00445 ERR(policy, "%s", strerror(EINVAL));
00446 errno = EINVAL;
00447 return STATUS_ERR;
00448 }
00449
00450 if (rule_type_mask & ~(QPOL_RULE_ALLOW | QPOL_RULE_NEVERALLOW | QPOL_RULE_AUDITALLOW | QPOL_RULE_DONTAUDIT)) {
00451 ERR(policy, "%s", strerror(EINVAL));
00452 errno = EINVAL;
00453 return STATUS_ERR;
00454 }
00455
00456 db = &policy->p->p;
00457 internal_cond = (cond_node_t *) cond;
00458
00459 if (!(crs = calloc(1, sizeof(cond_rule_state_t)))) {
00460 error = errno;
00461 ERR(policy, "%s", strerror(error));
00462 goto err;
00463 }
00464 crs->head = crs->cur = internal_cond->false_list;
00465 crs->rule_type_mask = rule_type_mask;
00466
00467 if (qpol_iterator_create(policy, (void *)crs,
00468 cond_rule_state_get_cur, cond_rule_state_next, cond_rule_state_end,
00469 cond_rule_state_size, free, iter)) {
00470 error = errno;
00471 goto err;
00472 }
00473
00474 if (crs->cur && !(crs->cur->node->key.specified & crs->rule_type_mask))
00475 qpol_iterator_next(*iter);
00476
00477 return STATUS_SUCCESS;
00478
00479 err:
00480 free(crs);
00481 errno = error;
00482 return STATUS_ERR;
00483 }
|
|
||||||||||||||||||||
|
Get an iterator over all type rules in a conditional's false list of a rule type in rule_type_mask.
Definition at line 485 of file cond_query.c. References cond_rule_state_end(), cond_rule_state_get_cur(), cond_rule_state_next(), cond_rule_state_size(), cond_rule_state_t, cond_rule_state::cur, ERR, cond_rule_state::head, qpol_policy::p, qpol_iterator_create(), qpol_iterator_next(), qpol_iterator_t, qpol_policy_t, QPOL_RULE_TYPE_CHANGE, QPOL_RULE_TYPE_TRANS, and cond_rule_state::rule_type_mask. 00487 {
00488 int error = 0;
00489 cond_rule_state_t *crs = NULL;
00490 cond_node_t *internal_cond = NULL;
00491 policydb_t *db = NULL;
00492
00493 if (iter)
00494 *iter = NULL;
00495
00496 if (!policy || !cond || !iter) {
00497 ERR(policy, "%s", strerror(EINVAL));
00498 errno = EINVAL;
00499 return STATUS_ERR;
00500 }
00501
00502 if (rule_type_mask & ~(QPOL_RULE_TYPE_TRANS | QPOL_RULE_TYPE_CHANGE | QPOL_RULE_TYPE_MEMBER)) {
00503 ERR(policy, "%s", strerror(EINVAL));
00504 errno = EINVAL;
00505 return STATUS_ERR;
00506 }
00507
00508 db = &policy->p->p;
00509 internal_cond = (cond_node_t *) cond;
00510
00511 if (!(crs = calloc(1, sizeof(cond_rule_state_t)))) {
00512 error = errno;
00513 ERR(policy, "%s", strerror(error));
00514 goto err;
00515 }
00516 crs->head = crs->cur = internal_cond->false_list;
00517 crs->rule_type_mask = rule_type_mask;
00518
00519 if (qpol_iterator_create(policy, (void *)crs,
00520 cond_rule_state_get_cur, cond_rule_state_next, cond_rule_state_end,
00521 cond_rule_state_size, free, iter)) {
00522 error = errno;
00523 goto err;
00524 }
00525
00526 if (crs->cur && !(crs->cur->node->key.specified & crs->rule_type_mask))
00527 qpol_iterator_next(*iter);
00528
00529 return STATUS_SUCCESS;
00530
00531 err:
00532 free(crs);
00533 errno = error;
00534 return STATUS_ERR;
00535 }
|
|
||||||||||||||||
|
Evaluate the expression of a conditional using current boolean values in the policy.
Definition at line 537 of file cond_query.c. References ERR, qpol_policy::p, and qpol_policy_t. Referenced by avrule_build_cond(), print_syn_av_results(), print_syn_te_results(), and terule_build_cond(). 00538 {
00539 int error = 0;
00540 cond_node_t *internal_cond = NULL;
00541
00542 if (is_true)
00543 *is_true = 0;
00544
00545 if (!policy || !cond || !is_true) {
00546 ERR(policy, "%s", strerror(EINVAL));
00547 errno = EINVAL;
00548 return STATUS_ERR;
00549 }
00550
00551 internal_cond = (cond_node_t *) cond;
00552
00553 if ((*is_true = (uint32_t) cond_evaluate_expr(&policy->p->p, internal_cond->expr)) > 1) {
00554 error = ERANGE;
00555 goto err;
00556 }
00557
00558 return STATUS_SUCCESS;
00559
00560 err:
00561 ERR(policy, "%s", strerror(error));
00562 errno = error;
00563 return STATUS_ERR;
00564 }
|
|
||||||||||||||||
|
Get the type of an expression node.
Definition at line 566 of file cond_query.c. References ERR, and qpol_policy_t. Referenced by apol_compare_cond_expr(), apol_cond_expr_render(), avrule_build_cond(), and terule_build_cond(). 00567 {
00568 cond_expr_t *internal_cond = NULL;
00569
00570 if (expr_type)
00571 *expr_type = 0;
00572
00573 if (!policy || !node || !expr_type) {
00574 ERR(policy, "%s", strerror(EINVAL));
00575 errno = EINVAL;
00576 return STATUS_ERR;
00577 }
00578
00579 internal_cond = (cond_expr_t *) node;
00580
00581 *expr_type = internal_cond->expr_type;
00582
00583 return STATUS_SUCCESS;
00584 }
|
|
||||||||||||||||
|
Get the boolean used in an expression node. This is only valid when the node's expression type is QPOL_COND_EXPR_BOOL.
Definition at line 586 of file cond_query.c. References ERR, qpol_policy::p, qpol_bool_t, and qpol_policy_t. Referenced by apol_compare_cond_expr(), apol_cond_expr_render(), avrule_build_cond(), and terule_build_cond(). 00587 {
00588 int error = 0;
00589 cond_expr_t *internal_cond = NULL;
00590 policydb_t *db = NULL;
00591
00592 if (cond_bool)
00593 *cond_bool = NULL;
00594
00595 if (!policy || !node || !cond_bool) {
00596 ERR(policy, "%s", strerror(EINVAL));
00597 errno = EINVAL;
00598 return STATUS_ERR;
00599 }
00600
00601 db = &policy->p->p;
00602 internal_cond = (cond_expr_t *) node;
00603
00604 if (internal_cond->expr_type != QPOL_COND_EXPR_BOOL) {
00605 error = EINVAL;
00606 goto err;
00607 }
00608
00609 if (!(*cond_bool = (qpol_bool_t *) db->bool_val_to_struct[internal_cond->bool - 1])) {
00610 error = EINVAL;
00611 goto err;
00612 }
00613
00614 return STATUS_SUCCESS;
00615
00616 err:
00617 ERR(policy, "%s", strerror(error));
00618 errno = error;
00619 return STATUS_ERR;
00620 }
|
