00001 /** 00002 * @file 00003 * Protected interface for computing semantic policy difference. 00004 * 00005 * @author Jeremy A. Mowery jmowery@tresys.com 00006 * @author Jason Tang jtang@tresys.com 00007 * 00008 * Copyright (C) 2006-2007 Tresys Technology, LLC 00009 * 00010 * This library is free software; you can redistribute it and/or 00011 * modify it under the terms of the GNU Lesser General Public 00012 * License as published by the Free Software Foundation; either 00013 * version 2.1 of the License, or (at your option) any later version. 00014 * 00015 * This library is distributed in the hope that it will be useful, 00016 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00017 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 00018 * Lesser General Public License for more details. 00019 * 00020 * You should have received a copy of the GNU Lesser General Public 00021 * License along with this library; if not, write to the Free Software 00022 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 00023 */ 00024 00025 #ifndef POLDIFF_POLDIFF_INTERNAL_H 00026 #define POLDIFF_POLDIFF_INTERNAL_H 00027 00028 #ifdef __cplusplus 00029 extern "C" 00030 { 00031 #endif 00032 00033 #include <poldiff/poldiff.h> 00034 #include <apol/bst.h> 00035 00036 typedef enum 00037 { 00038 AVRULE_OFFSET_ALLOW = 0, AVRULE_OFFSET_AUDITALLOW, 00039 AVRULE_OFFSET_DONTAUDIT, AVRULE_OFFSET_NEVERALLOW, 00040 AVRULE_OFFSET_MAX 00041 } avrule_offset_e; 00042 00043 typedef enum 00044 { 00045 TERULE_OFFSET_CHANGE = 0, TERULE_OFFSET_MEMBER, 00046 TERULE_OFFSET_TRANS, 00047 TERULE_OFFSET_MAX 00048 } terule_offset_e; 00049 00050 #include "attrib_internal.h" 00051 #include "avrule_internal.h" 00052 #include "bool_internal.h" 00053 #include "cat_internal.h" 00054 #include "class_internal.h" 00055 #include "level_internal.h" 00056 #include "range_internal.h" 00057 #include "range_trans_internal.h" 00058 #include "rbac_internal.h" 00059 #include "role_internal.h" 00060 #include "terule_internal.h" 00061 #include "user_internal.h" 00062 #include "type_internal.h" 00063 00064 #include "type_map_internal.h" 00065 00066 /* forward declarations */ 00067 struct poldiff_attrib_summary; 00068 struct poldiff_avrule_summary; 00069 struct poldiff_bool_summary; 00070 struct poldiff_cat_summary; 00071 struct poldiff_class_summary; 00072 struct poldiff_common_summary; 00073 struct poldiff_level_summary; 00074 struct poldiff_range_trans_summary; 00075 struct poldiff_role_summary; 00076 struct poldiff_role_allow_summary; 00077 struct poldiff_role_trans_summary; 00078 struct poldiff_terule_summary; 00079 struct poldiff_type_summary; 00080 struct poldiff_user_summary; 00081 /* and so forth for ocon_summary structs */ 00082 00083 struct poldiff 00084 { 00085 /** the "original" policy */ 00086 apol_policy_t *orig_pol; 00087 /** the "modified" policy */ 00088 apol_policy_t *mod_pol; 00089 /** pointer to original's qpol policy within orig_pol */ 00090 qpol_policy_t *orig_qpol; 00091 /** pointer to modified's qpol policy within mod_pol */ 00092 qpol_policy_t *mod_qpol; 00093 /** non-zero if rules' line numbers are accurate */ 00094 int line_numbers_enabled; 00095 /** BST of duplicated strings, used when making pseudo-rules */ 00096 apol_bst_t *class_bst; 00097 /** BST of duplicated strings, used when making pseudo-rules */ 00098 apol_bst_t *perm_bst; 00099 /** BST of duplicated strings, used when making pseudo-rules */ 00100 apol_bst_t *bool_bst; 00101 poldiff_handle_fn_t fn; 00102 void *handle_arg; 00103 /** set of POLDIF_DIFF_* bits for diffs run */ 00104 uint32_t diff_status; 00105 struct poldiff_attrib_summary *attrib_diffs; 00106 struct poldiff_avrule_summary *avrule_diffs[AVRULE_OFFSET_MAX]; 00107 struct poldiff_bool_summary *bool_diffs; 00108 struct poldiff_cat_summary *cat_diffs; 00109 struct poldiff_class_summary *class_diffs; 00110 struct poldiff_common_summary *common_diffs; 00111 struct poldiff_level_summary *level_diffs; 00112 struct poldiff_range_trans_summary *range_trans_diffs; 00113 struct poldiff_role_summary *role_diffs; 00114 struct poldiff_role_allow_summary *role_allow_diffs; 00115 struct poldiff_role_trans_summary *role_trans_diffs; 00116 struct poldiff_terule_summary *terule_diffs[TERULE_OFFSET_MAX]; 00117 struct poldiff_type_summary *type_diffs; 00118 struct poldiff_user_summary *user_diffs; 00119 /* and so forth if we want ocon_diffs */ 00120 type_map_t *type_map; 00121 /** most recently used flags to open the two policies */ 00122 int policy_opts; 00123 /** set if type mapping was changed since last run */ 00124 int remapped; 00125 }; 00126 00127 /** 00128 * Callback function signature for getting a vector of all unique 00129 * items of a given kind in a policy. The vector must be sorted 00130 * prior to returning from this function. 00131 * 00132 * @param diff Policy diff error handler. 00133 * @param policy The policy from which to get the items. 00134 * @return a newly allocated vector of all unique items of the 00135 * appropriate kind on success, or NULL on error; if the call fails, 00136 * errno will be set. 00137 */ 00138 typedef apol_vector_t *(*poldiff_get_items_fn_t) (poldiff_t * diff, const apol_policy_t * policy); 00139 00140 /** 00141 * Callback function signature for quickly comparing two items to 00142 * determine if they are semantically the same item. This operation 00143 * should quickly determine if the two are obviously different or 00144 * not. 00145 * 00146 * @param x The item from the original policy. 00147 * @param y The item from the modified policy. 00148 * @param diff The policy difference structure associated with both 00149 * items. 00150 * 00151 * @return Expected return value from this function is < 0, 0, or > 0 00152 * if item x is respectively less than, equal to, or greater than item y. 00153 * This must be able to return a defined stable ordering for all items 00154 * not semantically equivalent. 00155 */ 00156 typedef int (*poldiff_item_comp_fn_t) (const void *x, const void *y, const poldiff_t * diff); 00157 00158 /** 00159 * Callback function signature for creating, initializing and inserting 00160 * a new semantic difference entry for an item. 00161 * @param diff The policy difference structure to which to add the entry. 00162 * @param form The form of the difference, one of POLDIFF_FORM_ADDED or 00163 * POLDIFF_FORM_REMOVED. 00164 * @param item Item for which the entry is being created. 00165 * @return Expected return value from this function is 0 on success and 00166 * < 0 on error; if the call fails, it is expected to set errno and to 00167 * leave the policy difference structure unchanged. 00168 */ 00169 typedef int (*poldiff_new_diff_fn_t) (poldiff_t * diff, poldiff_form_e form, const void *item); 00170 00171 /** 00172 * Callback function signature for computing the semantic difference of 00173 * two items for which the compare callback returns 0. This function should 00174 * calculate the difference of any properties of the items and if a difference 00175 * is found to allocate, initialize, and insert an new semantic difference 00176 * entry for that item. 00177 * @param diff The policy difference structure associated with both items and 00178 * to which to add an entry if needed. 00179 * @param x The item from the original policy. 00180 * @param y The item from the modified policy. 00181 * @return Expected return value from this function is 0 on success and 00182 * < 0 on error; if the call fails, it is expected to set errno and to 00183 * leave the policy difference structure unchanged. 00184 */ 00185 typedef int (*poldiff_deep_diff_fn_t) (poldiff_t * diff, const void *x, const void *y); 00186 00187 /** 00188 * Callback function signature for resetting the diff results for an 00189 * item. called when mapping of the symbols used by the diff change. 00190 * @param diff The policy difference structure containing the diffs 00191 * to reset. 00192 * @return 0 on success and < 0 on error; if the call fails, 00193 * it is expected to set errno. 00194 */ 00195 typedef int (*poldiff_reset_fn_t) (poldiff_t * diff); 00196 00197 /******************** error handling code below ********************/ 00198 00199 #define POLDIFF_MSG_ERR 1 00200 #define POLDIFF_MSG_WARN 2 00201 #define POLDIFF_MSG_INFO 3 00202 00203 /** 00204 * Write a message to the callback stored within a poldiff error 00205 * handler. If the msg_callback field is empty then suppress the 00206 * message. 00207 * 00208 * @param p Error reporting handler. If NULL then write message to 00209 * stderr. 00210 * @param level Severity of message, one of POLDIFF_MSG_ERR, 00211 * POLDIFF_MSG_WARN, or POLDIFF_MSG_INFO. 00212 * @param fmt Format string to print, using syntax of printf(3). 00213 */ 00214 __attribute__ ((format(printf, 3, 4))) extern void poldiff_handle_msg(const poldiff_t * p, int level, const char *fmt, ...); 00215 00216 #undef ERR 00217 #undef WARN 00218 #undef INFO 00219 00220 #define ERR(handle, format, ...) poldiff_handle_msg(handle, POLDIFF_MSG_ERR, format, __VA_ARGS__) 00221 #define WARN(handle, format, ...) poldiff_handle_msg(handle, POLDIFF_MSG_WARN, format, __VA_ARGS__) 00222 #define INFO(handle, format, ...) poldiff_handle_msg(handle, POLDIFF_MSG_INFO, format, __VA_ARGS__) 00223 00224 /** 00225 * Build the BST for classes, permissions, and booleans if the 00226 * policies have changed. This effectively provides a partial mapping 00227 * of rules from one policy to the other. 00228 * 00229 * @param diff Policy difference structure containing policies to diff. 00230 * 00231 * @return 0 on success, < 0 on error. 00232 */ 00233 int poldiff_build_bsts(poldiff_t * diff); 00234 00235 #ifdef __cplusplus 00236 } 00237 #endif 00238 00239 #endif /* POLDIFF_POLDIFF_INTERNAL_H */
