/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
/* FLASK */
/*
* A constraint is a condition that must be satisfied in
* order for one or more permissions to be granted.
* Constraints are used to impose additional restrictions
* beyond the type-based rules in `te' or the role-based
* transition rules in `rbac'. Constraints are typically
* used to prevent a process from transitioning to a new user
* identity or role unless it is in a privileged type.
* Constraints are likewise typically used to prevent a
* process from labeling an object with a different user
* identity.
*/
#ifndef _SEPOL_POLICYDB_CONSTRAINT_H_
#define _SEPOL_POLICYDB_CONSTRAINT_H_
#include <sepol/policydb/policydb.h>
#include <sepol/policydb/ebitmap.h>
#include <sepol/policydb/flask_types.h>
__BEGIN_DECLS
#define CEXPR_MAXDEPTH 5
struct type_set;
typedef struct constraint_expr {
#define CEXPR_NOT 1 /* not expr */
#define CEXPR_AND 2 /* expr and expr */
#define CEXPR_OR 3 /* expr or expr */
#define CEXPR_ATTR 4 /* attr op attr */
#define CEXPR_NAMES 5 /* attr op names */
uint32_t expr_type; /* expression type */
#define CEXPR_USER 1 /* user */
#define CEXPR_ROLE 2 /* role */
#define CEXPR_TYPE 4 /* type */
#define CEXPR_TARGET 8 /* target if set, source otherwise */
#define CEXPR_XTARGET 16 /* special 3rd target for validatetrans rule */
#define CEXPR_L1L2 32 /* low level 1 vs. low level 2 */
#define CEXPR_L1H2 64 /* low level 1 vs. high level 2 */
#define CEXPR_H1L2 128 /* high level 1 vs. low level 2 */
#define CEXPR_H1H2 256 /* high level 1 vs. high level 2 */
#define CEXPR_L1H1 512 /* low level 1 vs. high level 1 */
#define CEXPR_L2H2 1024 /* low level 2 vs. high level 2 */
uint32_t attr; /* attribute */
#define CEXPR_EQ 1 /* == or eq */
#define CEXPR_NEQ 2 /* != */
#define CEXPR_DOM 3 /* dom */
#define CEXPR_DOMBY 4 /* domby */
#define CEXPR_INCOMP 5 /* incomp */
uint32_t op; /* operator */
ebitmap_t names; /* names */
struct type_set *type_names;
struct constraint_expr *next; /* next expression */
} constraint_expr_t;
typedef struct constraint_node {
sepol_access_vector_t permissions; /* constrained permissions */
constraint_expr_t *expr; /* constraint on permissions */
struct constraint_node *next; /* next constraint */
} constraint_node_t;
struct policydb;
extern int constraint_expr_init(constraint_expr_t * expr);
extern void constraint_expr_destroy(constraint_expr_t * expr);
__END_DECLS
#endif /* _CONSTRAINT_H_ */
/* FLASK */
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| avrule_block.h | File | 1.58 KB | 0644 |
|
| avtab.h | File | 4.61 KB | 0644 |
|
| conditional.h | File | 4.6 KB | 0644 |
|
| constraint.h | File | 2.47 KB | 0644 |
|
| context.h | File | 2.19 KB | 0644 |
|
| ebitmap.h | File | 3.08 KB | 0644 |
|
| expand.h | File | 3.55 KB | 0644 |
|
| flask.h | File | 4.88 KB | 0644 |
|
| flask_types.h | File | 1.72 KB | 0644 |
|
| hashtab.h | File | 4.18 KB | 0644 |
|
| hierarchy.h | File | 1.76 KB | 0644 |
|
| link.h | File | 498 B | 0644 |
|
| mls_types.h | File | 4.26 KB | 0644 |
|
| module.h | File | 1.48 KB | 0644 |
|
| polcaps.h | File | 694 B | 0644 |
|
| policydb.h | File | 24.91 KB | 0644 |
|
| services.h | File | 8.32 KB | 0644 |
|
| sidtab.h | File | 1.91 KB | 0644 |
|
| symtab.h | File | 1.06 KB | 0644 |
|
| util.h | File | 1.41 KB | 0644 |
|