18399 lines
605 KiB
Diff
18399 lines
605 KiB
Diff
diff --git a/ChangeLog b/ChangeLog
|
|
index 1bce21d..c13a4dc 100644
|
|
--- a/ChangeLog
|
|
+++ b/ChangeLog
|
|
@@ -1,3 +1,40 @@
|
|
+2014-04-15 Richard Haines <richard_c_haines@btinternet.com>
|
|
+
|
|
+ * Updates to libqpol to support policy source file expansion
|
|
+ to version 29. Source policies with the filename transition
|
|
+ rule will have their entries expanded twice, this is a bug
|
|
+ in libsepol.
|
|
+ Fixed bug in default_range to now diplay range component.
|
|
+
|
|
+2014-04-14 Richard Haines <richard_c_haines@btinternet.com>
|
|
+
|
|
+ * Updates to apol and the libapol/libqpol libraries to support
|
|
+ new policy statements and rules to version 29 (Note the features
|
|
+ for loading source code (policy.conf etc.) have not been updated
|
|
+ to support the new statements and rules.
|
|
+ These are the enhancements and bug fixes:
|
|
+ * Add permissive type and typebound support to Types tab.
|
|
+ * Add new Constraints tab to search all constraint statements.
|
|
+ * Add new Bounds tab to search for userbound, rolebound and
|
|
+ typebound statements.
|
|
+ * Add new policy capabilities tab.
|
|
+ * Add filename type_transition support on TE Rules tab.
|
|
+ * Add new Default Object tab to support defaultuser, defaultrole,
|
|
+ defaulttype and defaultrange rules.
|
|
+ * Add new Namespaces tab to list CIL namespaces. This will also
|
|
+ show any users, roles, types, classes, booleans, sensitivities
|
|
+ and categories declared in each namespace.
|
|
+ * Update Query/Policy Summary page to show the number of new
|
|
+ rules added plus the policy handle_unknown flag.
|
|
+ * Fixed File Contexts tab to stop hang when building the fc
|
|
+ index when broken links/files found (libsefs).
|
|
+ * Fixed Booleans tab to display CIL namespace booleans.
|
|
+ * Updated apol_help.txt to reflect the changes made plus how to
|
|
+ load the running policy.
|
|
+
|
|
+2014-01-16 Chris PeBenito <cpebenito@tresys.com>
|
|
+ * Fix bug preventing sediffx from starting.
|
|
+
|
|
2013-01-08 Steve Lawrence <slawrence@tresys.com>
|
|
|
|
* SETools 3.3.8
|
|
diff --git a/README b/README
|
|
index 04b159b..fcd6378 100644
|
|
--- a/README
|
|
+++ b/README
|
|
@@ -1,4 +1,4 @@
|
|
-SETools - Policy analysis tools for SELinux (C) 2001-2010
|
|
+SETools - Policy analysis tools for SELinux (C) 2001-2014
|
|
Tresys Technology
|
|
setools@tresys.com, http://oss.tresys.com/projects/setools
|
|
|
|
@@ -9,7 +9,7 @@ TABLE OF CONTENTS
|
|
1. Overview
|
|
2. Installation
|
|
2.1. compiling from official distribution
|
|
- 2.2. compiling from SVN checkout
|
|
+ 2.2. compiling from git clone
|
|
2.3. configure flags
|
|
2.4. using development version of SELinux
|
|
2.5. Logwatch support
|
|
@@ -119,11 +119,11 @@ Assuming that /usr/local/bin is in your $PATH and /usr/local/lib in
|
|
$LD_LIBRARY_PATH everything should now work.
|
|
|
|
|
|
-2.2. compiling from SVN checkout
|
|
+2.2. compiling from git clone
|
|
--------------------------------
|
|
|
|
If you prefer the bleeding edge of SETools development, you could
|
|
-instead obtain the development version of SETools from the Subversion
|
|
+instead obtain the development version of SETools from the git
|
|
repository (see Section 4).
|
|
|
|
$ cd setools
|
|
@@ -424,13 +424,13 @@ Open Source Software website, http://oss.tresys.com/projects/setools.
|
|
Tresys builds RPM packages of SETools. They may also be obtained from
|
|
the website listed above.
|
|
|
|
-SETools source code is maintained within a Subversion repository.
|
|
+SETools source code is maintained within a git repository.
|
|
From the command line do:
|
|
|
|
- $ svn co http://oss.tresys.com/repos/setools/trunk/ setools
|
|
+ $ git clone https://github.com/TresysTechnology/setools3.git
|
|
|
|
-You may also browse the SVN repository at
|
|
-http://oss.tresys.com/projects/setools/browser.
|
|
+You may also browse the git repository at
|
|
+https://github.com/TresysTechnology/setools3
|
|
|
|
Other binary releases SETools are available for your favorite Linux
|
|
packaging system from third-party sources. Gentoo users have an
|
|
diff --git a/apol/Makefile.am b/apol/Makefile.am
|
|
index 646d8b1..4fc5562 100644
|
|
--- a/apol/Makefile.am
|
|
+++ b/apol/Makefile.am
|
|
@@ -27,12 +27,15 @@ dist_setools_DATA = apol_help.txt domaintrans_help.txt file_relabel_help.txt \
|
|
|
|
EXTRA_DIST = \
|
|
analysis_tab.tcl \
|
|
+ bounds_tab.tcl \
|
|
classes_perms_tab.tcl \
|
|
common_widgets.tcl \
|
|
cond_bools_tab.tcl \
|
|
cond_rules_tab.tcl \
|
|
+ constraints_tab.tcl \
|
|
context_dialog.tcl \
|
|
context_selector.tcl \
|
|
+ default_objects_tab.tcl \
|
|
directflow_module.tcl \
|
|
domaintrans_module.tcl \
|
|
file_contexts_tab.tcl \
|
|
@@ -43,9 +46,11 @@ EXTRA_DIST = \
|
|
initial_sids_tab.tcl \
|
|
level_dialog.tcl \
|
|
mls_tab.tcl \
|
|
+ namespaces_tab.tcl \
|
|
netcontexts_tab.tcl \
|
|
open_policy_dialog.tcl \
|
|
perms_map.tcl \
|
|
+ polcap_tab.tcl \
|
|
policyconf.tcl \
|
|
progress_dialog.tcl \
|
|
range_dialog.tcl \
|
|
diff --git a/apol/apol_help.txt b/apol/apol_help.txt
|
|
index aad309b..1ed5a9e 100644
|
|
--- a/apol/apol_help.txt
|
|
+++ b/apol/apol_help.txt
|
|
@@ -29,7 +29,7 @@ not report line numbers when searching monolithic binary polices.
|
|
|
|
Apol provides compatibility with the current and previous policy
|
|
syntax. It supports analysis of monolithic policy versions 12 to the
|
|
-current version 21 and modular policy versions 5 and 6.
|
|
+current version 29 and modular policy versions to 17.
|
|
|
|
See setools/ChangeLog for a list of new features in this release. See
|
|
setools/KNOWN_BUGS for a list of current bugs.
|
|
@@ -40,7 +40,12 @@ Menus
|
|
Use 'Open' from the File menu to open a valid policy. The policy may
|
|
be monolithic or be composed of a base linked with multiple modules.
|
|
Only one policy can be open at a time; opening a second policy will
|
|
-result in the first being closed.
|
|
+result in the first being closed. Note: If the kernel supports reading
|
|
+the currently loaded policy, then select "monolithic" and set the
|
|
+"Policy filename" path to either:
|
|
+ /selinux/policy
|
|
+ or
|
|
+ /sys/fs/selinux/policy
|
|
|
|
The Query menu allows the user to save or load a query for a TE Rules
|
|
search or for an analysis module listed on the Analysis tab. Saving a
|
|
@@ -85,6 +90,8 @@ relate the core components of an SELinux policy.
|
|
to search for types and/or attributes using a POSIX-style regular
|
|
expression.
|
|
|
|
+ Permissive and bound types may also be searched.
|
|
+
|
|
Classes/Perms tab
|
|
-----------------
|
|
Use the Classes/Perms tab to view and search object classes, common
|
|
@@ -149,6 +156,23 @@ relate the core components of an SELinux policy.
|
|
Select the FS Contexts tab to search filesystem-based contexts
|
|
(fs_use_ and genfscon statements) defined in the policy.
|
|
|
|
+ Policy Capabilities tab
|
|
+ ---------------
|
|
+ Select the Policy Capabilities tab to display policy capabilities
|
|
+ defined in the policy.
|
|
+
|
|
+ Policy Namespaces tab
|
|
+ ---------------
|
|
+ Select the Policy Namespaces tab to display the namespaces defined
|
|
+ in the policy. For policies with a single namespace there will be
|
|
+ one namespace displayed: "GLOBAL-NS". For policies that can define
|
|
+ multiple namespaces (e.g CIL), all namespaces will be displayed
|
|
+ including "GLOBAL-NS".
|
|
+ If the namespace entry is double clicked then a list of Users, Roles,
|
|
+ Types, Attributes, Classes and Booleans applicable to that namespace
|
|
+ will be displayed (also if MLS enabled the Sensitivities and
|
|
+ Categories will also be shown).
|
|
+
|
|
|
|
Policy Rules tabs
|
|
-----------------
|
|
@@ -226,6 +250,10 @@ rules in a policy based on selected search criteria.
|
|
the checkbox is enabled, returned rules instead will contain
|
|
all of them.
|
|
|
|
+ 4. FILENAME SUBTAB: provides options to refine a search
|
|
+ using the file name type_transition rule filename. Only rules
|
|
+ that contain the selected file name will be returned.
|
|
+
|
|
In the Results Tab for a given search, all rules that meet the
|
|
search criteria are displayed. In addition, if the policy that is
|
|
opened is capable of showing line numbers, a hyperlink for each rule
|
|
@@ -260,6 +288,57 @@ rules in a policy based on selected search criteria.
|
|
[Enabled] - indicates the rule is enabled
|
|
[Disabled] - indicates the rule is disabled
|
|
|
|
+ Constraints tab
|
|
+ ---------------
|
|
+ Select the Constraints tab to search through the constrain and
|
|
+ validatetrans constraint rules. If the current policy supports MLS
|
|
+ then these variants are also enabled.
|
|
+
|
|
+ Four different types of search criteria exist for constraints:
|
|
+
|
|
+ 1. CONSTRAINT SELECTION: provides options to limit the scope of the
|
|
+ search as only those constraints selected will be included in the
|
|
+ search. At least one must be selected. NOTE: If no additional
|
|
+ search criteria is specified, apol will search for all of the
|
|
+ selected constraints.
|
|
+
|
|
+ 2. CLASSES/PERMISSIONS SUBTAB: provides options to refine a search
|
|
+ using object classes and/or permissions in the same way as the
|
|
+ TE Rules tab described above. Note that the validatetrans rules
|
|
+ do not use permissions.
|
|
+
|
|
+ 3. LEFT SIDE OF EXPRESSION SUBTAB: provides an option to refine a
|
|
+ search based on the left keyword of a constraint. When checked
|
|
+ the left hand side of each expression is read from the policy and
|
|
+ displayed in the drop down box. A single keyword may then be
|
|
+ selected.
|
|
+
|
|
+ 4. RIGHT SIDE OF EXPRESSION SUBTAB: provides options to refine a
|
|
+ search based on either the right keyword, user, role, type or type
|
|
+ attribute of a constraint. When one of the boxes is checked
|
|
+ the right keywords, users, roles, types or type attributes are
|
|
+ read from the policy and displayed in the drop down box. A single
|
|
+ item may then be selected.
|
|
+
|
|
+ Note: When displaying the constraint details from a binary policy, the
|
|
+ result will depend on the policy version:
|
|
+ a) For versions <= 28 it will always display types as the
|
|
+ compiler expanded any attributes before writing the binary
|
|
+ policy. Therefore searches should always be for types.
|
|
+ b) For versions >= 29 it will display whatever was defined in
|
|
+ the source policy, therefore searches may be on types or
|
|
+ attributes.
|
|
+
|
|
+ The Constraints Tab also supports multiple results windows. Each
|
|
+ active window remembers the search options used for it, and will set
|
|
+ all the options accordingly when selected. Use the "Update Search"
|
|
+ button to change the results displayed for the current window based
|
|
+ on the current search option. "New Search" creates a new results
|
|
+ window based on the current search options. Use the "Close Tab" bar
|
|
+ at the bottom to destroy a results window. Also, the Constraints tab
|
|
+ provides the means to save/load search criteria to a file (see Menus
|
|
+ section above).
|
|
+
|
|
RBAC Rules tab
|
|
--------------
|
|
Select the RBAC Rules tab to search role-based access control rules.
|
|
@@ -271,13 +350,18 @@ rules in a policy based on selected search criteria.
|
|
|
|
Range Transition Rules tab
|
|
--------------------------
|
|
- Select the Range Transition Rules tab to search to search
|
|
+ Select the Range Transition Rules tab to search for
|
|
range_transition rules by source and target types and by the MLS
|
|
range. There are three options when searching for ranges; find
|
|
exact matches to the entered range, find rules that have ranges
|
|
that contain the entered range, or find rules that have ranges
|
|
within the entered range.
|
|
|
|
+ Bounds Rules tab
|
|
+ --------------------------
|
|
+ Select the Bounds Rules tab to search for userbound, rolebound or
|
|
+ typebound rules by parent or child types.
|
|
+
|
|
|
|
File Contexts tab
|
|
-----------------
|
|
diff --git a/apol/bounds_tab.tcl b/apol/bounds_tab.tcl
|
|
new file mode 100644
|
|
index 0000000..906eade
|
|
--- /dev/null
|
|
+++ b/apol/bounds_tab.tcl
|
|
@@ -0,0 +1,433 @@
|
|
+# Copyright (C) 2001-2007 Tresys Technology, LLC
|
|
+# This program is free software; you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation; either version 2 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program; if not, write to the Free Software
|
|
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
+
|
|
+namespace eval Apol_Bounds {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+}
|
|
+
|
|
+proc Apol_Bounds::create {tab_name nb} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+
|
|
+ _initializeVars
|
|
+
|
|
+ set frame [$nb insert end $tab_name -text "Bounds Rules"]
|
|
+ set topf [frame $frame.top]
|
|
+ set bottomf [frame $frame.bottom]
|
|
+ pack $topf -expand 0 -fill both -pady 2
|
|
+ pack $bottomf -expand 1 -fill both -pady 2
|
|
+
|
|
+ set rsbox [TitleFrame $topf.rs -ipad 30 -text "Rule Selection"]
|
|
+ set obox [TitleFrame $topf.opts -text "Search Options"]
|
|
+ set dbox [TitleFrame $bottomf.results -text "Bounds Rules Display"]
|
|
+ pack $rsbox -side left -expand 0 -fill both -padx 2
|
|
+ pack $obox -side left -expand 1 -fill both -padx 2
|
|
+ pack $dbox -expand 1 -fill both -padx 2
|
|
+
|
|
+ # Rule selection subframe
|
|
+ set rs [$rsbox getframe]
|
|
+ radiobutton $rs.user -text user -value user \
|
|
+ -variable Apol_Bounds::vals(rule_selection)
|
|
+ radiobutton $rs.role -text role -value role \
|
|
+ -variable Apol_Bounds::vals(rule_selection)
|
|
+ radiobutton $rs.type -text type -value type \
|
|
+ -variable Apol_Bounds::vals(rule_selection)
|
|
+ trace add variable Apol_Bounds::vals(rule_selection) write \
|
|
+ [list Apol_Bounds::_ruleChanged]
|
|
+ pack $rs.user $rs.role $rs.type -side top -anchor w
|
|
+
|
|
+ set widgets(options_pm) [PagesManager [$obox getframe].opts]
|
|
+
|
|
+ _userCreate [$widgets(options_pm) add user]
|
|
+ _roleCreate [$widgets(options_pm) add role]
|
|
+ _typeCreate [$widgets(options_pm) add type]
|
|
+
|
|
+ $widgets(options_pm) compute_size
|
|
+ pack $widgets(options_pm) -expand 1 -fill both -side left
|
|
+ $widgets(options_pm) raise type
|
|
+
|
|
+ set ok [button [$obox getframe].ok -text OK -width 6 -command Apol_Bounds::_searchBounds]
|
|
+ pack $ok -side right -padx 5 -pady 5 -anchor ne
|
|
+
|
|
+ set widgets(results) [Apol_Widget::makeSearchResults [$dbox getframe].results]
|
|
+ pack $widgets(results) -expand yes -fill both
|
|
+
|
|
+ return $frame
|
|
+}
|
|
+
|
|
+proc Apol_Bounds::open {ppath} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ $widgets(user:user_parent) configure -values $Apol_Users::users_list
|
|
+ $widgets(user:user_child) configure -values $Apol_Users::users_list
|
|
+ $widgets(role:role_parent) configure -values $Apol_Roles::role_list
|
|
+ $widgets(role:role_child) configure -values $Apol_Roles::role_list
|
|
+ $widgets(type:type_parent) configure -values $Apol_Types::typelist
|
|
+ $widgets(type:type_child) configure -values $Apol_Types::typelist
|
|
+
|
|
+ set vals(rule_selection) type
|
|
+}
|
|
+
|
|
+proc Apol_Bounds::close {} {
|
|
+ variable widgets
|
|
+
|
|
+ _initializeVars
|
|
+ $widgets(user:user_parent) configure -values {}
|
|
+ $widgets(user:user_child) configure -values {}
|
|
+ $widgets(role:role_parent) configure -values {}
|
|
+ $widgets(role:role_child) configure -values {}
|
|
+ $widgets(type:type_parent) configure -values {}
|
|
+ $widgets(type:type_child) configure -values {}
|
|
+}
|
|
+
|
|
+proc Apol_Bounds::getTextWidget {} {
|
|
+ variable widgets
|
|
+}
|
|
+
|
|
+#### private functions below ####
|
|
+
|
|
+proc Apol_Bounds::_initializeVars {} {
|
|
+ variable vals
|
|
+ array set vals {
|
|
+ rule_selection type
|
|
+
|
|
+ user_parent:use 0
|
|
+ user_parent:sym {}
|
|
+ user_child:sym {}
|
|
+ user_child:use 0
|
|
+
|
|
+ role_parent:use 0
|
|
+ role_parent:sym {}
|
|
+ role_child:sym {}
|
|
+ role_child:use 0
|
|
+
|
|
+ type_parent:use 0
|
|
+ type_parent:sym {}
|
|
+ type_child:sym {}
|
|
+ type_child:use 0
|
|
+ }
|
|
+}
|
|
+
|
|
+proc Apol_Bounds::_userCreate {a_f} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+
|
|
+ set user_parent [frame $a_f.user_parent]
|
|
+ set user_parent_cb [checkbutton $user_parent.enable -text "Parent user" \
|
|
+ -variable Apol_Bounds::vals(user_parent:use)]
|
|
+ set widgets(user:user_parent) [ComboBox $user_parent.cb -width 20 -state disabled \
|
|
+ -entrybg $ApolTop::default_bg_color \
|
|
+ -textvariable Apol_Bounds::vals(user_parent:sym) \
|
|
+ -helptext "Select the bounding user" -autopost 1]
|
|
+
|
|
+ trace add variable Apol_Bounds::vals(user_parent:use) write \
|
|
+ [list Apol_Bounds::_toggleCheckbutton $widgets(user:user_parent) {}]
|
|
+ pack $user_parent_cb -side top -anchor w
|
|
+ pack $widgets(user:user_parent) -side top -expand 0 -fill x -padx 4
|
|
+
|
|
+ pack $user_parent -side left -padx 4 -pady 2 -expand 0 -anchor nw
|
|
+
|
|
+ set user_child [frame $a_f.user_child]
|
|
+ set widgets(user:user_child_cb) [checkbutton $user_child.enable -text "Child user" \
|
|
+ -variable Apol_Bounds::vals(user_child:use)]
|
|
+ set widgets(user:user_child) [ComboBox $user_child.cb -width 20 -state disabled \
|
|
+ -entrybg $ApolTop::default_bg_color \
|
|
+ -textvariable Apol_Bounds::vals(user_child:sym) \
|
|
+ -helptext "Select the bounded user" -autopost 1]
|
|
+ trace add variable Apol_Bounds::vals(user_child:use) write \
|
|
+ [list Apol_Bounds::_toggleCheckbutton $widgets(user:user_child) {}]
|
|
+ pack $widgets(user:user_child_cb) -side top -anchor w
|
|
+ pack $widgets(user:user_child) -side top -expand 0 -fill x -padx 4
|
|
+ pack $user_child -side left -padx 4 -pady 2 -expand 0 -fill y
|
|
+}
|
|
+
|
|
+proc Apol_Bounds::_roleCreate {t_f} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+
|
|
+ set role_parent [frame $t_f.role_parent]
|
|
+ set role_parent_cb [checkbutton $role_parent.enable -text "Parent role" \
|
|
+ -variable Apol_Bounds::vals(role_parent:use)]
|
|
+ set widgets(role:role_parent) [ComboBox $role_parent.cb -width 20 -state disabled \
|
|
+ -entrybg $ApolTop::default_bg_color \
|
|
+ -textvariable Apol_Bounds::vals(role_parent:sym) \
|
|
+ -helptext "Select the bounding role" -autopost 1]
|
|
+
|
|
+ trace add variable Apol_Bounds::vals(role_parent:use) write \
|
|
+ [list Apol_Bounds::_toggleCheckbutton $widgets(role:role_parent) {}]
|
|
+ pack $role_parent_cb -side top -anchor w
|
|
+ pack $widgets(role:role_parent) -side top -expand 0 -fill x -padx 4
|
|
+
|
|
+ pack $role_parent -side left -padx 4 -pady 2 -expand 0 -anchor nw
|
|
+
|
|
+ set role_child [frame $t_f.role_child]
|
|
+ set widgets(role:role_child_cb) [checkbutton $role_child.enable -text "Child role" \
|
|
+ -variable Apol_Bounds::vals(role_child:use)]
|
|
+ set widgets(role:role_child) [ComboBox $role_child.cb -width 20 -state disabled \
|
|
+ -entrybg $ApolTop::default_bg_color \
|
|
+ -textvariable Apol_Bounds::vals(role_child:sym) \
|
|
+ -helptext "Select the bounded role" -autopost 1]
|
|
+ trace add variable Apol_Bounds::vals(role_child:use) write \
|
|
+ [list Apol_Bounds::_toggleCheckbutton $widgets(role:role_child) {}]
|
|
+ pack $widgets(role:role_child_cb) -side top -anchor w
|
|
+ pack $widgets(role:role_child) -side top -expand 0 -fill x -padx 4
|
|
+ pack $role_child -side left -padx 4 -pady 2 -expand 0 -fill y
|
|
+}
|
|
+
|
|
+proc Apol_Bounds::_typeCreate {b_t} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+
|
|
+ set type_parent [frame $b_t.type_parent]
|
|
+ set type_parent_cb [checkbutton $type_parent.enable -text "Parent type" \
|
|
+ -variable Apol_Bounds::vals(type_parent:use)]
|
|
+ set widgets(type:type_parent) [ComboBox $type_parent.cb -width 20 -state disabled \
|
|
+ -entrybg $ApolTop::default_bg_color \
|
|
+ -textvariable Apol_Bounds::vals(type_parent:sym) \
|
|
+ -helptext "Select the bounding type" -autopost 1]
|
|
+
|
|
+ trace add variable Apol_Bounds::vals(type_parent:use) write \
|
|
+ [list Apol_Bounds::_toggleCheckbutton $widgets(type:type_parent) {}]
|
|
+ pack $type_parent_cb -side top -anchor w
|
|
+ pack $widgets(type:type_parent) -side top -expand 0 -fill x -padx 4
|
|
+
|
|
+ pack $type_parent -side left -padx 4 -pady 2 -expand 0 -anchor nw
|
|
+
|
|
+ set type_child [frame $b_t.type_child]
|
|
+ set widgets(type:type_child_cb) [checkbutton $type_child.enable -text "Child type" \
|
|
+ -variable Apol_Bounds::vals(type_child:use)]
|
|
+ set widgets(type:type_child) [ComboBox $type_child.cb -width 20 -state disabled \
|
|
+ -entrybg $ApolTop::default_bg_color \
|
|
+ -textvariable Apol_Bounds::vals(type_child:sym) \
|
|
+ -helptext "Select the bounded type" -autopost 1]
|
|
+ trace add variable Apol_Bounds::vals(type_child:use) write \
|
|
+ [list Apol_Bounds::_toggleCheckbutton $widgets(type:type_child) {}]
|
|
+ pack $widgets(type:type_child_cb) -side top -anchor w
|
|
+ pack $widgets(type:type_child) -side top -expand 0 -fill x -padx 4
|
|
+ pack $type_child -side left -padx 4 -pady 2 -expand 0 -fill y
|
|
+}
|
|
+
|
|
+proc Apol_Bounds::_toggleCheckbutton {cb w name1 name2 ops} {
|
|
+ variable vals
|
|
+
|
|
+ if {$vals($name2)} {
|
|
+ $cb configure -state normal -entrybg white
|
|
+ foreach x $w {
|
|
+ $x configure -state normal
|
|
+ }
|
|
+ } else {
|
|
+ $cb configure -state disabled -entrybg $ApolTop::default_bg_color
|
|
+ foreach x $w {
|
|
+ $x configure -state disabled
|
|
+ }
|
|
+ }
|
|
+}
|
|
+
|
|
+# callback invoked when the user changes which Bounds rule to search
|
|
+proc Apol_Bounds::_ruleChanged {name1 name2 ops} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ Apol_Widget::clearSearchResults $widgets(results)
|
|
+ $widgets(options_pm) raise $vals(rule_selection)
|
|
+}
|
|
+
|
|
+proc Apol_Bounds::_searchBounds {} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+
|
|
+ Apol_Widget::clearSearchResults $widgets(results)
|
|
+ if {![ApolTop::is_policy_open]} {
|
|
+ tk_messageBox -icon error -type ok -title "Error" -message "No current policy file is opened."
|
|
+ return
|
|
+ }
|
|
+
|
|
+ if {$vals(rule_selection) == "user"} {
|
|
+ Apol_Bounds::_searchUserBounds
|
|
+ return
|
|
+ }
|
|
+ if {$vals(rule_selection) == "role"} {
|
|
+ Apol_Bounds::_searchRoleBounds
|
|
+ return
|
|
+ }
|
|
+
|
|
+ if {$vals(rule_selection) == "type" } {
|
|
+ Apol_Bounds::_searchTypeBounds
|
|
+ return
|
|
+ }
|
|
+}
|
|
+
|
|
+proc Apol_Bounds::_searchUserBounds {} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+
|
|
+ set results {}
|
|
+ set bounds {}
|
|
+ set counter 0
|
|
+ set printit 0
|
|
+ set parent_regexp 0
|
|
+ set child_regexp 0
|
|
+
|
|
+ if {$vals(user_parent:use) && $vals(user_parent:sym) == {}} {
|
|
+ tk_messageBox -icon error -type ok -title "Error" -message "No parent user selected."
|
|
+ } elseif {$vals(user_parent:use)} {
|
|
+ set parent_regexp 1
|
|
+ }
|
|
+ if {$vals(user_child:use) && $vals(user_child:sym) == {}} {
|
|
+ tk_messageBox -icon error -type ok -title "Error" -message "No child user selected."
|
|
+ } elseif {$vals(user_child:use)} {
|
|
+ set child_regexp 1
|
|
+ }
|
|
+
|
|
+ set q [new_apol_userbounds_query_t]
|
|
+ set v [$q run $::ApolTop::policy]
|
|
+ $q -acquire
|
|
+ $q -delete
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ set q [qpol_userbounds_from_void [$v get_element $i]]
|
|
+ set parent [$q get_parent_name $::ApolTop::qpolicy]
|
|
+ set child [$q get_child_name $::ApolTop::qpolicy]
|
|
+ if {$parent != ""} {
|
|
+ if {$parent_regexp == 1 && $parent == $vals(user_parent:sym)} {
|
|
+ set printit 1
|
|
+ }
|
|
+ if {$child_regexp == 1 && $child == $vals(user_child:sym)} {
|
|
+ set printit 1
|
|
+ }
|
|
+ if {$parent_regexp == 0 && $child_regexp == 0} {
|
|
+ set printit 1
|
|
+ }
|
|
+ if {$printit == 1} {
|
|
+ append bounds "userbounds $parent "
|
|
+ append bounds "$child;\n"
|
|
+ set counter [expr $counter + 1]
|
|
+ }
|
|
+ }
|
|
+ set printit 0
|
|
+ }
|
|
+ }
|
|
+ append results "$counter rules match search criteria.\n\n$bounds\n"
|
|
+ Apol_Widget::appendSearchResultText $widgets(results) $results
|
|
+}
|
|
+
|
|
+proc Apol_Bounds::_searchRoleBounds {} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+
|
|
+ set results {}
|
|
+ set bounds {}
|
|
+ set counter 0
|
|
+ set printit 0
|
|
+ set parent_regexp 0
|
|
+ set child_regexp 0
|
|
+
|
|
+ if {$vals(role_parent:use) && $vals(role_parent:sym) == {}} {
|
|
+ tk_messageBox -icon error -type ok -title "Error" -message "No parent role selected."
|
|
+ } elseif {$vals(role_parent:use)} {
|
|
+ set parent_regexp 1
|
|
+ }
|
|
+ if {$vals(role_child:use) && $vals(role_child:sym) == {}} {
|
|
+ tk_messageBox -icon error -type ok -title "Error" -message "No child role selected."
|
|
+ } elseif {$vals(role_child:use)} {
|
|
+ set child_regexp 1
|
|
+ }
|
|
+
|
|
+ set q [new_apol_rolebounds_query_t]
|
|
+ set v [$q run $::ApolTop::policy]
|
|
+ $q -acquire
|
|
+ $q -delete
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ set q [qpol_rolebounds_from_void [$v get_element $i]]
|
|
+ set parent [$q get_parent_name $::ApolTop::qpolicy]
|
|
+ set child [$q get_child_name $::ApolTop::qpolicy]
|
|
+ if {$parent != ""} {
|
|
+ if {$parent_regexp == 1 && $parent == $vals(role_parent:sym)} {
|
|
+ set printit 1
|
|
+ }
|
|
+ if {$child_regexp == 1 && $child == $vals(role_child:sym)} {
|
|
+ set printit 1
|
|
+ }
|
|
+ if {$parent_regexp == 0 && $child_regexp == 0} {
|
|
+ set printit 1
|
|
+ }
|
|
+ if {$printit == 1} {
|
|
+ append bounds "rolebounds $parent "
|
|
+ append bounds "$child;\n"
|
|
+ set counter [expr $counter + 1]
|
|
+ }
|
|
+ }
|
|
+ set printit 0
|
|
+ }
|
|
+ }
|
|
+ append results "$counter rules match search criteria.\n\n$bounds\n"
|
|
+ Apol_Widget::appendSearchResultText $widgets(results) $results
|
|
+}
|
|
+
|
|
+proc Apol_Bounds::_searchTypeBounds {} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+
|
|
+ set results {}
|
|
+ set bounds {}
|
|
+ set counter 0
|
|
+ set printit 0
|
|
+ set parent_regexp 0
|
|
+ set child_regexp 0
|
|
+
|
|
+ if {$vals(type_parent:use) && $vals(type_parent:sym) == {}} {
|
|
+ tk_messageBox -icon error -type ok -title "Error" -message "No parent type selected."
|
|
+ } elseif {$vals(type_parent:use)} {
|
|
+ set parent_regexp 1
|
|
+ }
|
|
+ if {$vals(type_child:use) && $vals(type_child:sym) == {}} {
|
|
+ tk_messageBox -icon error -type ok -title "Error" -message "No child type selected."
|
|
+ } elseif {$vals(type_child:use)} {
|
|
+ set child_regexp 1
|
|
+ }
|
|
+
|
|
+ set q [new_apol_typebounds_query_t]
|
|
+ set v [$q run $::ApolTop::policy]
|
|
+ $q -acquire
|
|
+ $q -delete
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ set q [qpol_typebounds_from_void [$v get_element $i]]
|
|
+ set parent [$q get_parent_name $::ApolTop::qpolicy]
|
|
+ set child [$q get_child_name $::ApolTop::qpolicy]
|
|
+ if {$parent != ""} {
|
|
+ if {$parent_regexp == 1 && $parent == $vals(type_parent:sym)} {
|
|
+ set printit 1
|
|
+ }
|
|
+ if {$child_regexp == 1 && $child == $vals(type_child:sym)} {
|
|
+ set printit 1
|
|
+ }
|
|
+ if {$parent_regexp == 0 && $child_regexp == 0} {
|
|
+ set printit 1
|
|
+ }
|
|
+ if {$printit == 1} {
|
|
+ append bounds "typebounds $parent "
|
|
+ append bounds "$child;\n"
|
|
+ set counter [expr $counter + 1]
|
|
+ }
|
|
+ }
|
|
+ set printit 0
|
|
+ }
|
|
+ }
|
|
+ append results "$counter rules match search criteria.\n\n$bounds\n"
|
|
+ Apol_Widget::appendSearchResultText $widgets(results) $results
|
|
+}
|
|
+
|
|
diff --git a/apol/cond_bools_tab.tcl b/apol/cond_bools_tab.tcl
|
|
index 76356f1..25c8dee 100644
|
|
--- a/apol/cond_bools_tab.tcl
|
|
+++ b/apol/cond_bools_tab.tcl
|
|
@@ -107,7 +107,9 @@ proc Apol_Cond_Bools::open {ppath} {
|
|
foreach bool $cond_bools_list {
|
|
set b [new_qpol_bool_t $::ApolTop::qpolicy $bool]
|
|
set cond_bools_defaults($bool) [$b get_state $::ApolTop::qpolicy]
|
|
- _insert_listbox_item $bool $cond_bools_defaults($bool)
|
|
+ # This is a workaround as frames do not like the "." in CIL booleans
|
|
+ set frame_bool [string map {. *} $bool]
|
|
+ _insert_listbox_item $bool $cond_bools_defaults($bool) $frame_bool
|
|
}
|
|
|
|
variable widgets
|
|
@@ -161,21 +163,21 @@ proc Apol_Cond_Bools::_initializeVars {} {
|
|
}
|
|
}
|
|
|
|
-proc Apol_Cond_Bools::_insert_listbox_item {bool initial_state} {
|
|
+proc Apol_Cond_Bools::_insert_listbox_item {bool initial_state frame_bool} {
|
|
variable widgets
|
|
variable cond_bools_values
|
|
|
|
set cond_bools_values($bool) $initial_state
|
|
set subf [$widgets(listbox) getframe]
|
|
- set rb_true [radiobutton $subf.t:$bool -bg white \
|
|
+ set rb_true [radiobutton $subf.t:$frame_bool -bg white \
|
|
-variable Apol_Cond_Bools::cond_bools_values($bool) \
|
|
-value 1 -highlightthickness 0 -text "True"]
|
|
- set rb_false [radiobutton $subf.f:$bool -bg white \
|
|
+ set rb_false [radiobutton $subf.f:$frame_bool -bg white \
|
|
-variable Apol_Cond_Bools::cond_bools_values($bool) \
|
|
-value 0 -highlightthickness 0 -text "False"]
|
|
trace add variable Apol_Cond_Bools::cond_bools_values($bool) write \
|
|
[list Apol_Cond_Bools::_set_bool_value]
|
|
- set rb_label [label $subf.l:$bool -bg white -text "- $bool"]
|
|
+ set rb_label [label $subf.l:$frame_bool -bg white -text "- $bool"]
|
|
grid $rb_true $rb_false $rb_label -padx 2 -pady 5 -sticky w
|
|
}
|
|
|
|
diff --git a/apol/constraints_tab.tcl b/apol/constraints_tab.tcl
|
|
new file mode 100644
|
|
index 0000000..965e584
|
|
--- /dev/null
|
|
+++ b/apol/constraints_tab.tcl
|
|
@@ -0,0 +1,1589 @@
|
|
+# This tab will allow searching of constrain and validatetrans constraint
|
|
+# rules within the policy. The mls versions are also searched if an
|
|
+# mls policy is loaded.
|
|
+#
|
|
+# This tab has been derived from the terules_tab.
|
|
+#
|
|
+# Author: Richard Haines richard_c_haines@btinternet.com
|
|
+#
|
|
+# Copyright (C) 2001-2007 Tresys Technology, LLC
|
|
+# This program is free software; you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation; either version 2 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program; if not, write to the Free Software
|
|
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
+
|
|
+namespace eval Apol_Constraint {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable tabs
|
|
+ variable enabled
|
|
+
|
|
+ variable opts
|
|
+ variable constraint_list {}
|
|
+ variable left_expr_list {}
|
|
+ variable right_expr_list {}
|
|
+ variable mls_enabled {0}
|
|
+ variable match_right_type_names 0
|
|
+ variable statement_count 0
|
|
+}
|
|
+
|
|
+proc Apol_Constraint::create {tab_name nb} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+
|
|
+ _initializeVars
|
|
+
|
|
+ set frame [$nb insert end $tab_name -text "Constraints"]
|
|
+ set pw [PanedWindow $frame.pw -side left -weights extra]
|
|
+ set topf [$pw add -weight 0]
|
|
+ set bottomf [$pw add -weight 1]
|
|
+ pack $pw -expand 1 -fill both
|
|
+
|
|
+ # Major SubFrames:
|
|
+ # rsbox - constrain selection
|
|
+ # rbox - holds display window widgets
|
|
+ # abox - action buttons
|
|
+ set top_leftf [frame $topf.tl]
|
|
+ set widgets(search_opts) [NoteBook $topf.nb]
|
|
+ set abox [frame $topf.abox]
|
|
+ pack $top_leftf -side left -expand 0 -fill y
|
|
+ pack $widgets(search_opts) -side left -expand 1 -fill both -padx 10
|
|
+ pack $abox -side right -fill y -padx 5
|
|
+ set rsbox [TitleFrame $top_leftf.rsbox -text "Constraint Selection"]
|
|
+ set rbox [TitleFrame $bottomf.rbox -text "Constraint Search Results"]
|
|
+ pack $rsbox -side top -fill both -expand 1
|
|
+ pack $rbox -expand yes -fill both -padx 2
|
|
+
|
|
+ # Constraint selection subframe
|
|
+ set fm_constraints [$rsbox getframe]
|
|
+ set constrain [checkbutton $fm_constraints.constrain -text "constrain" \
|
|
+ -onvalue 1 -offvalue 0 \
|
|
+ -variable Apol_Constraint::vals(rs:constrain_enabled)]
|
|
+ set mlsconstrain [checkbutton $fm_constraints.mlsconstrain -text "mlsconstrain" \
|
|
+ -onvalue 1 -offvalue 0 \
|
|
+ -variable Apol_Constraint::vals(rs:mlsconstrain_enabled)]
|
|
+ set validatetrans [checkbutton $fm_constraints.validatetrans -text "validatetrans" \
|
|
+ -onvalue 1 -offvalue 0 \
|
|
+ -variable Apol_Constraint::vals(rs:validatetrans_enabled)]
|
|
+ set mlsvalidatetrans [checkbutton $fm_constraints.mlsvalidatetrans -text "mlsvalidatetrans" \
|
|
+ -onvalue 1 -offvalue 0 \
|
|
+ -variable Apol_Constraint::vals(rs:mlsvalidatetrans_enabled)]
|
|
+ grid $constrain -sticky w -padx 10
|
|
+ grid $mlsconstrain -sticky w -padx 10
|
|
+ grid $validatetrans -sticky w -padx 10 -pady {30 0}
|
|
+ grid $mlsvalidatetrans -sticky w -padx 10
|
|
+
|
|
+ _createClassesPermsTab
|
|
+ _createLeftExpressionTab
|
|
+ _createRightExpressionTab
|
|
+
|
|
+ # Action buttons
|
|
+ set widgets(new) [button $abox.new -text "New Search" -width 12 \
|
|
+ -command [list Apol_Constraint::_search_constraints new]]
|
|
+ set widgets(update) [button $abox.update -text "Update Search" -width 12 -state disabled \
|
|
+ -command [list Apol_Constraint::_search_constraints update]]
|
|
+ set widgets(reset) [button $abox.reset -text "Reset Criteria" -width 12 \
|
|
+ -command Apol_Constraint::_reset]
|
|
+ pack $widgets(new) $widgets(update) $widgets(reset) \
|
|
+ -side top -pady 5 -padx 5 -anchor ne
|
|
+
|
|
+ $widgets(search_opts) compute_size
|
|
+
|
|
+ # Popup menu widget
|
|
+ set popupTab_Menu [menu .popup_constrain_rules -tearoff 0]
|
|
+ set tab_menu_callbacks \
|
|
+ [list {"Close Tab" Apol_Constraint::_delete_results} \
|
|
+ {"Rename Tab" Apol_Constraint::_display_rename_tab_dialog}]
|
|
+
|
|
+ # Notebook creation for results
|
|
+ set widgets(results) [NoteBook [$rbox getframe].results]
|
|
+ $widgets(results) bindtabs <Button-1> Apol_Constraint::_switch_to_tab
|
|
+ $widgets(results) bindtabs <Button-3> \
|
|
+ [list ApolTop::popup \
|
|
+ %W %x %y $popupTab_Menu $tab_menu_callbacks]
|
|
+ set close [button [$rbox getframe].close -text "Close Tab" \
|
|
+ -command Apol_Constraint::_delete_current_results]
|
|
+ pack $widgets(results) -expand 1 -fill both -padx 4
|
|
+ pack $close -expand 0 -fill x -padx 4 -pady 2
|
|
+
|
|
+ _initializeVars
|
|
+ return $frame
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::open {ppath} {
|
|
+ variable mls_enabled
|
|
+
|
|
+ if {[ApolTop::is_capable "mls"]} {
|
|
+ set mls_enabled 1
|
|
+ } else {
|
|
+ set mls_enabled 0
|
|
+ }
|
|
+
|
|
+ _initializeVars
|
|
+ _initializeWidgets
|
|
+ _initializeTabs
|
|
+
|
|
+ variable vals
|
|
+ variable enabled
|
|
+ set vals(cp:classes) [Apol_Class_Perms::getClasses]
|
|
+ set enabled(cp:classes) 1
|
|
+ set enabled(cp:perms) 1
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::close {} {
|
|
+ _initializeTabs
|
|
+ _initializeWidgets
|
|
+ _initializeVars
|
|
+ set enabled(cp:perms) 1
|
|
+
|
|
+ variable constraint_list {}
|
|
+ variable left_expr_list {}
|
|
+ variable right_expr_list {}
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::getTextWidget {} {
|
|
+ variable widgets
|
|
+ variable tabs
|
|
+
|
|
+ if {[$widgets(results) pages] != {}} {
|
|
+ set raisedPage [$widgets(results) raise]
|
|
+ if {$raisedPage != {}} {
|
|
+ return $tabs($raisedPage).tb
|
|
+ }
|
|
+ }
|
|
+ return {}
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::save_query_options {file_channel query_file} {
|
|
+ variable vals
|
|
+
|
|
+ foreach {key value} [array get vals] {
|
|
+ if {$key != "cp:classes" && $key != "cp:perms"} {
|
|
+ puts $file_channel "$key $value"
|
|
+ }
|
|
+ }
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::load_query_options {file_channel} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable enabled
|
|
+ _initializeVars
|
|
+
|
|
+ # load as many values as possible
|
|
+ set classes_selected {}
|
|
+ set perms_selected {}
|
|
+ while {[gets $file_channel line] >= 0} {
|
|
+ set line [string trim $line]
|
|
+ # Skip empty lines and comments
|
|
+ if {$line == {} || [string index $line 0] == "#"} {
|
|
+ continue
|
|
+ }
|
|
+ regexp -line -- {^(\S+)( (.+))?} $line -> key --> value
|
|
+ if {$key == "cp:classes_selected"} {
|
|
+ set classes_selected $value
|
|
+ } elseif {$key == "cp:perms_selected"} {
|
|
+ set perms_selected $value
|
|
+ } else {
|
|
+ set vals($key) $value
|
|
+ }
|
|
+ }
|
|
+
|
|
+ # update the display
|
|
+ _initializeWidgets
|
|
+ set vals(cp:classes) [Apol_Class_Perms::getClasses]
|
|
+ set enabled(cp:classes) 1
|
|
+ set enabled(cp:perms) 1
|
|
+ _toggle_perms_toshow -> -> reset
|
|
+
|
|
+ # then verify that selected object classes and permissions exist
|
|
+ # for this policy
|
|
+ set unknowns {}
|
|
+ set vals(cp:classes_selected) {}
|
|
+ foreach class $classes_selected {
|
|
+ if {[set i [lsearch $vals(cp:classes) $class]] >= 0} {
|
|
+ $widgets(cp:classes) selection set $i
|
|
+ lappend vals(cp:classes_selected) $class
|
|
+ } else {
|
|
+ lappend unknowns $class
|
|
+ }
|
|
+ }
|
|
+ if {[llength $unknowns] > 0} {
|
|
+ tk_messageBox -icon warning -type ok -title "Open Apol Query" \
|
|
+ -message "The following object classes do not exist in the currently loaded policy and were ignored:\n\n[join $unknowns ", "]" \
|
|
+ -parent .
|
|
+ }
|
|
+
|
|
+ _toggle_perms_toshow {} {} {}
|
|
+ set unknowns {}
|
|
+ set vals(cp:perms_selected) {}
|
|
+ foreach perm $perms_selected {
|
|
+ if {[set i [lsearch $vals(cp:perms) $perm]] >= 0} {
|
|
+ $widgets(cp:perms) selection set $i
|
|
+ lappend vals(cp:perms_selected) $perm
|
|
+ } else {
|
|
+ lappend unknowns $perm
|
|
+ }
|
|
+ }
|
|
+ if {[llength $unknowns] > 0} {
|
|
+ tk_messageBox -icon warning -type ok -title "Open Apol Query" \
|
|
+ -message "The following permissions do not exist in the currently loaded policy and were ignored:\n\n[join $unknowns ", "]" \
|
|
+ -parent $parentDlg
|
|
+ }
|
|
+}
|
|
+
|
|
+
|
|
+#### private functions below ####
|
|
+
|
|
+proc Apol_Constraint::_initializeVars {} {
|
|
+ variable vals
|
|
+ variable mls_enabled
|
|
+
|
|
+ array set vals [list \
|
|
+ rs:constrain_enabled 1 \
|
|
+ rs:mlsconstrain_enabled $mls_enabled \
|
|
+ rs:validatetrans_enabled 1 \
|
|
+ rs:mlsvalidatetrans_enabled $mls_enabled \
|
|
+
|
|
+ kta:left_expr,left_keyword 1 \
|
|
+ kta:right_expr,right_keyword 0 \
|
|
+ kta:right_expr,types 0 \
|
|
+ kta:right_expr,users 0 \
|
|
+ kta:right_expr,roles 0 \
|
|
+ kta:right_expr,attribs 0 \
|
|
+ ]
|
|
+
|
|
+ array set vals {
|
|
+ kta:use_left_expr 0
|
|
+ kta:left_expr {}
|
|
+
|
|
+ kta:use_right_expr 0
|
|
+ kta:right_expr {}
|
|
+ kta:right_expr_replace_types 0
|
|
+
|
|
+ cp:classes {}
|
|
+ cp:classes_selected {}
|
|
+ cp:perms {}
|
|
+ cp:perms_selected {}
|
|
+ cp:perms_toshow all
|
|
+ cp:perms_matchall 0
|
|
+ }
|
|
+
|
|
+ variable enabled
|
|
+ array set enabled {
|
|
+ kta:use_left_expr 1
|
|
+ kta:use_right_expr 1
|
|
+
|
|
+ cp:classes 0
|
|
+ cp:perms 0
|
|
+ }
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_initializeTabs {} {
|
|
+ variable widgets
|
|
+ variable tabs
|
|
+
|
|
+ array set tabs {
|
|
+ next_result_id 1
|
|
+ }
|
|
+ foreach p [$widgets(results) pages 0 end] {
|
|
+ _delete_results $p
|
|
+ }
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_initializeWidgets {} {
|
|
+ variable widgets
|
|
+
|
|
+ $widgets(search_opts) raise left_expr_entry
|
|
+ $widgets(search_opts) raise right_expr_entry
|
|
+
|
|
+ $widgets(cp:classes) selection clear 0 end
|
|
+ $widgets(cp:perms) selection clear 0 end
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_createLeftExpressionTab {} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable enabled
|
|
+
|
|
+ set ta_tab [$widgets(search_opts) insert end left_expr_entry -text "Left Side of Expression"]
|
|
+ set fm_left_expr [frame $ta_tab.left_expr]
|
|
+ grid $fm_left_expr -padx 4 -sticky ewns
|
|
+ foreach i {0} {
|
|
+ grid columnconfigure $ta_tab $i -weight 1 -uniform 1
|
|
+ }
|
|
+ grid rowconfigure $ta_tab 0 -weight 1
|
|
+# prefix frame title left_side right_side
|
|
+ _create_expression_box left_expr $fm_left_expr "Keyword" 1 0
|
|
+
|
|
+ $widgets(search_opts) raise left_expr_entry
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_createRightExpressionTab {} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable enabled
|
|
+
|
|
+ set ta_tab [$widgets(search_opts) insert end right_expr_entry -text "Right Side of Expression"]
|
|
+ set fm_right_expr [frame $ta_tab.right_expr]
|
|
+ grid $fm_right_expr -padx 4 -sticky ewns
|
|
+ foreach i {0} {
|
|
+ grid columnconfigure $ta_tab $i -weight 1 -uniform 1
|
|
+ }
|
|
+ grid rowconfigure $ta_tab 0 -weight 1
|
|
+# prefix frame title left_side right_side
|
|
+ _create_expression_box right_expr $fm_right_expr "Select either a keyword, user, role, type or type attribute" 0 1
|
|
+
|
|
+ $widgets(search_opts) raise right_expr_entry
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_create_expression_box {prefix f title left_expr right_expr} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+
|
|
+ set widgets(kta:use_${prefix}) [checkbutton $f.use -text $title \
|
|
+ -variable Apol_Constraint::vals(kta:use_${prefix})]
|
|
+ pack $widgets(kta:use_${prefix}) -side top -anchor w
|
|
+ trace add variable Apol_Constraint::vals(kta:use_${prefix}) write \
|
|
+ [list Apol_Constraint::_toggle_expression_box $prefix]
|
|
+
|
|
+ set w {}
|
|
+
|
|
+ if {$right_expr} {
|
|
+ set helptext "Select a keyword, user, role, type or type attribute for the right hand side of the constraint expression e.g.: \
|
|
+\n (left right) \
|
|
+\n (t1 == mlstrustedobject) \
|
|
+\n (r1 dom r2) \
|
|
+\n (r1 != system_r)\n \
|
|
+\nIf a type or attribute is selected the \"Only direct matches\" box can be used to determine searching as follows:\n \
|
|
+\n - If selected the type or type attribute identifier will be used for the match.\n \
|
|
+\n - If unselected and a type is selected: \
|
|
+\n The type identifier will be used for matching, also any type attributes found within the constraints expression will \
|
|
+\n be expanded and its list of types searched for a match.\n \
|
|
+\n - If unselected and an attribute is selected: \
|
|
+\n The type attribute identifier will be used for matching, also any types found within the constraints expression will \
|
|
+\n have its associated type attributes searched for a match.\n"
|
|
+ } else {
|
|
+ set helptext "Select a keyword for the left hand side of the constraint expression e.g.: \
|
|
+\n (left right)\n (r1 == r2)"
|
|
+ }
|
|
+
|
|
+ set widgets(kta:${prefix}) [ComboBox $f.sym \
|
|
+ -state disabled -entrybg $ApolTop::default_bg_color \
|
|
+ -textvariable Apol_Constraint::vals(kta:${prefix}) \
|
|
+ -helptext $helptext -autopost 1]
|
|
+ pack $widgets(kta:${prefix}) -expand 0 -fill x -padx 8
|
|
+ lappend w $widgets(kta:${prefix})
|
|
+
|
|
+ if {$left_expr} {
|
|
+ set ta_frame [frame $f.ta]
|
|
+ pack $ta_frame -expand 0 -anchor center -pady 2
|
|
+ trace add variable Apol_Constraint::vals(kta:${prefix},left_keyword) write \
|
|
+ [list Apol_Constraint::_toggle_left_side $prefix]
|
|
+ pack $widgets(kta:${prefix}) -expand 0 -fill x -padx 8
|
|
+ lappend w $widgets(kta:${prefix})
|
|
+
|
|
+ }
|
|
+
|
|
+ if {$right_expr} {
|
|
+ set ta_frame [frame $f.ta]
|
|
+ pack $ta_frame -expand 0 -anchor w -pady 2
|
|
+ set right_keyword [checkbutton $ta_frame.right_keyword -text "Keyword" -state disabled \
|
|
+ -onvalue 1 -offvalue 0 \
|
|
+ -variable Apol_Constraint::vals(kta:${prefix},right_keyword)]
|
|
+
|
|
+ set users [checkbutton $ta_frame.users -text "Users" -state disabled \
|
|
+ -onvalue 1 -offvalue 0 \
|
|
+ -variable Apol_Constraint::vals(kta:${prefix},users)]
|
|
+
|
|
+ set roles [checkbutton $ta_frame.roles -text "Roles" -state disabled \
|
|
+ -onvalue 1 -offvalue 0 \
|
|
+ -variable Apol_Constraint::vals(kta:${prefix},roles)]
|
|
+
|
|
+ set types [checkbutton $ta_frame.types -text "Types" -state disabled \
|
|
+ -onvalue 1 -offvalue 0 \
|
|
+ -variable Apol_Constraint::vals(kta:${prefix},types)]
|
|
+ set attribs [checkbutton $ta_frame.attribs -text "Attributes" -state disabled \
|
|
+ -onvalue 1 -offvalue 0 \
|
|
+ -variable Apol_Constraint::vals(kta:${prefix},attribs)]
|
|
+
|
|
+ $right_keyword configure -command [list Apol_Constraint::_toggle_kta_pushed $prefix $right_keyword]
|
|
+ $users configure -command [list Apol_Constraint::_toggle_kta_pushed $prefix $users]
|
|
+ $roles configure -command [list Apol_Constraint::_toggle_kta_pushed $prefix $roles]
|
|
+ $types configure -command [list Apol_Constraint::_toggle_kta_pushed $prefix $types]
|
|
+ $attribs configure -command [list Apol_Constraint::_toggle_kta_pushed $prefix $attribs]
|
|
+
|
|
+ trace add variable Apol_Constraint::vals(kta:${prefix},right_keyword) write \
|
|
+ [list Apol_Constraint::_toggle_right_side $prefix]
|
|
+ trace add variable Apol_Constraint::vals(kta:${prefix},users) write \
|
|
+ [list Apol_Constraint::_toggle_right_side $prefix]
|
|
+ trace add variable Apol_Constraint::vals(kta:${prefix},roles) write \
|
|
+ [list Apol_Constraint::_toggle_right_side $prefix]
|
|
+ trace add variable Apol_Constraint::vals(kta:${prefix},types) write \
|
|
+ [list Apol_Constraint::_toggle_right_side $prefix]
|
|
+ trace add variable Apol_Constraint::vals(kta:${prefix},attribs) write \
|
|
+ [list Apol_Constraint::_toggle_right_side $prefix]
|
|
+
|
|
+ pack $right_keyword $users $roles $types $attribs -side left -anchor w -padx 2
|
|
+ lappend w $right_keyword $users $roles $types $attribs
|
|
+ }
|
|
+
|
|
+ set widgets(kta:${prefix}_widgets) $w
|
|
+ trace add variable Apol_Constraint::enabled(kta:use_${prefix}) write \
|
|
+ [list Apol_Constraint::_toggle_left_right_box $prefix]
|
|
+}
|
|
+
|
|
+
|
|
+# called when there is a change in state to the top checkbutton within
|
|
+# an expression box
|
|
+proc Apol_Constraint::_toggle_expression_box {col name1 name2 op} {
|
|
+ variable enabled
|
|
+
|
|
+ # force a refresh of this box's state; this invokes
|
|
+ # _toggle_left_right_box callback
|
|
+ set enabled(kta:use_${col}) $enabled(kta:use_${col})
|
|
+}
|
|
+
|
|
+
|
|
+# disallow keyword, types and attribs to be selected within a kta box
|
|
+proc Apol_Constraint::_toggle_kta_pushed {col cb} {
|
|
+ variable vals
|
|
+
|
|
+ if {($vals(kta:${col},right_keyword) && $vals(kta:${col},attribs)) || \
|
|
+ ($vals(kta:${col},right_keyword) && $vals(kta:${col},users)) || \
|
|
+ ($vals(kta:${col},right_keyword) && $vals(kta:${col},roles)) || \
|
|
+ ($vals(kta:${col},right_keyword) && $vals(kta:${col},types)) || \
|
|
+ ($vals(kta:${col},attribs) && $vals(kta:${col},users)) || \
|
|
+ ($vals(kta:${col},attribs) && $vals(kta:${col},roles)) || \
|
|
+ ($vals(kta:${col},attribs) && $vals(kta:${col},types)) || \
|
|
+ ($vals(kta:${col},users) && $vals(kta:${col},roles)) || \
|
|
+ ($vals(kta:${col},users) && $vals(kta:${col},types)) || \
|
|
+ ($vals(kta:${col},roles) && $vals(kta:${col},types)) } {
|
|
+ tk_messageBox -icon error -type ok -title "Constraint Search" -message "Select either a keyword, user, role, type or type attribute."
|
|
+ $cb deselect
|
|
+ return
|
|
+ }
|
|
+}
|
|
+
|
|
+
|
|
+# called whenever the left or right box is enabled or disabled
|
|
+proc Apol_Constraint::_toggle_left_right_box {col name1 name2 op} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable enabled
|
|
+
|
|
+ if {$enabled(kta:use_${col})} {
|
|
+ $widgets(kta:use_${col}) configure -state normal
|
|
+ } else {
|
|
+ $widgets(kta:use_${col}) configure -state disabled
|
|
+ }
|
|
+ if {$enabled(kta:use_${col}) && $vals(kta:use_${col})} {
|
|
+ foreach w $widgets(kta:${col}_widgets) {
|
|
+ $w configure -state normal
|
|
+ }
|
|
+ $widgets(kta:${col}) configure -entrybg white
|
|
+ } else {
|
|
+ foreach w $widgets(kta:${col}_widgets) {
|
|
+ $w configure -state disabled
|
|
+ }
|
|
+ $widgets(kta:${col}) configure -entrybg $ApolTop::default_bg_color
|
|
+ }
|
|
+
|
|
+ # update this tab's name if one of the columns is enabled and used
|
|
+ if {($enabled(kta:use_left_expr) && $vals(kta:use_left_expr))} {
|
|
+ $widgets(search_opts) itemconfigure left_expr_entry -text "Left Side of Expression *"
|
|
+ } else {
|
|
+ $widgets(search_opts) itemconfigure left_expr_entry -text "Left Side of Expression"
|
|
+ }
|
|
+
|
|
+ if {($enabled(kta:use_right_expr) && $vals(kta:use_right_expr))} {
|
|
+ $widgets(search_opts) itemconfigure right_expr_entry -text "Right Side of Expression *"
|
|
+ } else {
|
|
+ $widgets(search_opts) itemconfigure right_expr_entry -text "Right Side of Expression"
|
|
+ }
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_toggle_left_side {col name1 name2 op} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+
|
|
+ set items {}
|
|
+
|
|
+ if {$vals(kta:${col},left_keyword)} {
|
|
+ append items [Apol_Constraint::getLeftKeyword]
|
|
+ }
|
|
+ $widgets(kta:${col}) configure -values $items
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_toggle_right_side {col name1 name2 op} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+
|
|
+ set items {}
|
|
+
|
|
+ if {$vals(kta:${col},right_keyword)} {
|
|
+ append items [Apol_Constraint::getRightKeyword]
|
|
+ }
|
|
+ if {$vals(kta:${col},users)} {
|
|
+ append items [Apol_Users::getUsers]
|
|
+ }
|
|
+ if {$vals(kta:${col},roles)} {
|
|
+ append items [Apol_Roles::getRoles]
|
|
+ }
|
|
+ if {$vals(kta:${col},types)} {
|
|
+ append items [Apol_Types::getTypes]
|
|
+ }
|
|
+ if {$vals(kta:${col},attribs)} {
|
|
+ append items [Apol_Types::getAttributes]
|
|
+ }
|
|
+
|
|
+ $widgets(kta:${col}) configure -values $items
|
|
+}
|
|
+
|
|
+
|
|
+# Returns a list of left keywords
|
|
+proc Apol_Constraint::getLeftKeyword {} {
|
|
+ variable vals
|
|
+ variable left_expr_list
|
|
+ set left_expr_list {}
|
|
+
|
|
+ if {[ApolTop::is_policy_open]} {
|
|
+ if { $vals(rs:constrain_enabled) == 1 || $vals(rs:mlsconstrain_enabled) == 1 } {
|
|
+ append left_expr_list [Apol_Constraint::_getKeywords "l" new_apol_constraint_query_t]
|
|
+ }
|
|
+ if { $vals(rs:validatetrans_enabled) == 1 || $vals(rs:mlsvalidatetrans_enabled) == 1 } {
|
|
+ append left_expr_list [Apol_Constraint::_getKeywords "l" new_apol_validatetrans_query_t]
|
|
+ }
|
|
+ lsort -unique $left_expr_list
|
|
+ } else {
|
|
+ set left_expr_list ""
|
|
+ }
|
|
+}
|
|
+
|
|
+
|
|
+# Returns a list of right keywords
|
|
+proc Apol_Constraint::getRightKeyword {} {
|
|
+ variable vals
|
|
+ variable right_expr_list
|
|
+ set right_expr_list {}
|
|
+
|
|
+ if {[ApolTop::is_policy_open]} {
|
|
+ if { $vals(rs:constrain_enabled) == 1 || $vals(rs:mlsconstrain_enabled) == 1 } {
|
|
+ append right_expr_list [Apol_Constraint::_getKeywords "r" new_apol_constraint_query_t]
|
|
+ }
|
|
+ if { $vals(rs:validatetrans_enabled) == 1 || $vals(rs:mlsvalidatetrans_enabled) == 1 } {
|
|
+ append right_expr_list [Apol_Constraint::_getKeywords "r" new_apol_validatetrans_query_t]
|
|
+ }
|
|
+ lsort -unique $right_expr_list
|
|
+ } else {
|
|
+ set right_expr_list ""
|
|
+ }
|
|
+}
|
|
+
|
|
+
|
|
+
|
|
+# code to create and handle the classe/permissions subtab
|
|
+proc Apol_Constraint::_createClassesPermsTab {} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable enabled
|
|
+
|
|
+ set objects_tab [$widgets(search_opts) insert end classperms -text "Classes/Permissions"]
|
|
+ set fm_objs [TitleFrame $objects_tab.objs -text "Object Classes"]
|
|
+ set fm_perms [TitleFrame $objects_tab.perms -text "Permissions"]
|
|
+ pack $fm_objs -side left -expand 0 -fill both -padx 2 -pady 2
|
|
+ pack $fm_perms -side left -expand 1 -fill both -padx 2 -pady 2
|
|
+
|
|
+ # object classes subframe
|
|
+ set sw [ScrolledWindow [$fm_objs getframe].sw -auto both]
|
|
+ set widgets(cp:classes) [listbox [$sw getframe].lb -height 5 -width 24 \
|
|
+ -highlightthickness 0 -selectmode multiple \
|
|
+ -exportselection 0 -state disabled \
|
|
+ -bg $ApolTop::default_bg_color \
|
|
+ -listvar Apol_Constraint::vals(cp:classes)]
|
|
+ $sw setwidget $widgets(cp:classes)
|
|
+ update
|
|
+ grid propagate $sw 0
|
|
+ bind $widgets(cp:classes) <<ListboxSelect>> \
|
|
+ [list Apol_Constraint::_toggle_cp_select classes]
|
|
+ pack $sw -expand 1 -fill both
|
|
+ set clear [button [$fm_objs getframe].b -text "Clear" -width 6 -state disabled \
|
|
+ -command [list Apol_Constraint::_clear_cp_listbox $widgets(cp:classes) classes]]
|
|
+ pack $clear -expand 0 -pady 2
|
|
+ set widgets(cp:classes_widgets) [list $widgets(cp:classes) $clear]
|
|
+
|
|
+ # permissions subframe
|
|
+ set f [$fm_perms getframe]
|
|
+ set sw [ScrolledWindow $f.sw -auto both]
|
|
+ set widgets(cp:perms) [listbox [$sw getframe].lb -height 5 -width 24 \
|
|
+ -highlightthickness 0 -selectmode multiple \
|
|
+ -exportselection 0 -bg white \
|
|
+ -listvar Apol_Constraint::vals(cp:perms)]
|
|
+ $sw setwidget $widgets(cp:perms)
|
|
+ update
|
|
+ grid propagate $sw 0
|
|
+ bind $widgets(cp:perms) <<ListboxSelect>> \
|
|
+ [list Apol_Constraint::_toggle_cp_select perms]
|
|
+ set clear [button $f.clear -text "Clear" \
|
|
+ -command [list Apol_Constraint::_clear_cp_listbox $widgets(cp:perms) perms]]
|
|
+ set reverse [button $f.reverse -text "Reverse" \
|
|
+ -command [list Apol_Constraint::_reverse_cp_listbox $widgets(cp:perms)]]
|
|
+ set perm_opts_f [frame $f.perms]
|
|
+ set perm_rb_f [frame $perm_opts_f.rb]
|
|
+ set l [label $perm_rb_f.l -text "Permissions to show:" -state disabled]
|
|
+ set all [radiobutton $perm_rb_f.all -text "All" \
|
|
+ -variable Apol_Constraint::vals(cp:perms_toshow) -value all]
|
|
+ set union [radiobutton $perm_rb_f.union -text "All for selected classes" \
|
|
+ -variable Apol_Constraint::vals(cp:perms_toshow) -value union]
|
|
+ set intersect [radiobutton $perm_rb_f.inter -text "Common to selected classes" \
|
|
+ -variable Apol_Constraint::vals(cp:perms_toshow) -value intersect]
|
|
+ trace add variable Apol_Constraint::vals(cp:perms_toshow) write \
|
|
+ Apol_Constraint::_toggle_perms_toshow
|
|
+ pack $l $all $union $intersect -anchor w
|
|
+ set all_perms [checkbutton $perm_opts_f.all -text "Constraint must have all selected permissions" \
|
|
+ -variable Apol_Constraint::vals(cp:perms_matchall)]
|
|
+ pack $perm_rb_f $all_perms -anchor w -pady 4 -padx 4
|
|
+ grid $sw - $perm_opts_f -sticky nsw
|
|
+ grid $clear $reverse ^ -pady 2 -sticky ew
|
|
+ grid columnconfigure $f 0 -weight 0 -uniform 1 -pad 2
|
|
+ grid columnconfigure $f 1 -weight 0 -uniform 1 -pad 2
|
|
+ grid columnconfigure $f 2 -weight 1
|
|
+ grid rowconfigure $f 0 -weight 1
|
|
+ set widgets(cp:perms_widgets) \
|
|
+ [list $widgets(cp:perms) $clear $reverse $l $all $union $intersect $all_perms]
|
|
+
|
|
+ trace add variable Apol_Constraint::vals(cp:classes_selected) write \
|
|
+ [list Apol_Constraint::_update_cp_tabname]
|
|
+ trace add variable Apol_Constraint::vals(cp:perms_selected) write \
|
|
+ [list Apol_Constraint::_update_cp_tabname]
|
|
+ trace add variable Apol_Constraint::enabled(cp:classes) write \
|
|
+ [list Apol_Constraint::_toggle_enable_cp classes]
|
|
+ trace add variable Apol_Constraint::enabled(cp:perms) write \
|
|
+ [list Apol_Constraint::_toggle_enable_cp perms]
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_toggle_enable_cp {prefix name1 name2 op} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable enabled
|
|
+
|
|
+ if {$enabled(cp:${prefix})} {
|
|
+ foreach w $widgets(cp:${prefix}_widgets) {
|
|
+ $w configure -state normal
|
|
+ }
|
|
+ $widgets(cp:${prefix}) configure -bg white
|
|
+ } else {
|
|
+ foreach w $widgets(cp:${prefix}_widgets) {
|
|
+ $w configure -state disabled
|
|
+ }
|
|
+ $widgets(cp:${prefix}) configure -bg $ApolTop::default_bg_color
|
|
+ }
|
|
+ # force a refresh of this tab's name
|
|
+ set vals(cp:${prefix}_selected) $vals(cp:${prefix}_selected)
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_toggle_perms_toshow {name1 name2 op} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+
|
|
+ if {$vals(cp:perms_toshow) == "all"} {
|
|
+ # don't change the list of permissions if there was a new
|
|
+ # object class selection and the current radiobutton is all
|
|
+ if {$op != "update"} {
|
|
+ set vals(cp:perms) $Apol_Class_Perms::perms_list
|
|
+ set vals(cp:perms_selected) {}
|
|
+ }
|
|
+ } elseif {$vals(cp:perms_toshow) == "union"} {
|
|
+ set vals(cp:perms) {}
|
|
+ set vals(cp:perms_selected) {}
|
|
+ foreach class $vals(cp:classes_selected) {
|
|
+ set vals(cp:perms) [lsort -unique -dictionary [concat $vals(cp:perms) [Apol_Class_Perms::getPermsForClass $class]]]
|
|
+ }
|
|
+ } else { ;# intersection
|
|
+ set vals(cp:perms) {}
|
|
+ set vals(cp:perms_selected) {}
|
|
+ set classes {}
|
|
+ foreach i [$widgets(cp:classes) curselection] {
|
|
+ lappend classes [$widgets(cp:classes) get $i]
|
|
+ }
|
|
+ if {$classes == {}} {
|
|
+ return
|
|
+ }
|
|
+ set vals(cp:perms) [Apol_Class_Perms::getPermsForClass [lindex $classes 0]]
|
|
+ foreach class [lrange $classes 1 end] {
|
|
+ set this_perms [Apol_Class_Perms::getPermsForClass $class]
|
|
+ set new_perms {}
|
|
+ foreach p $vals(cp:perms) {
|
|
+ if {[lsearch -exact $this_perms $p] >= 0} {
|
|
+ lappend new_perms $p
|
|
+ }
|
|
+ }
|
|
+ set vals(cp:perms) $new_perms
|
|
+ }
|
|
+ }
|
|
+}
|
|
+
|
|
+
|
|
+# called whenever an item with a class/perm listbox is
|
|
+# selected/deselected
|
|
+proc Apol_Constraint::_toggle_cp_select {col} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+
|
|
+ set items {}
|
|
+ foreach i [$widgets(cp:${col}) curselection] {
|
|
+ lappend items [$widgets(cp:${col}) get $i]
|
|
+ }
|
|
+ set vals(cp:${col}_selected) $items
|
|
+ if {$col == "classes"} {
|
|
+ _toggle_perms_toshow {} {} update
|
|
+ }
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_clear_cp_listbox {lb prefix} {
|
|
+ variable vals
|
|
+
|
|
+ $lb selection clear 0 end
|
|
+ set vals(cp:${prefix}_selected) {}
|
|
+ if {$prefix == "classes"} {
|
|
+ _toggle_perms_toshow {} {} update
|
|
+ }
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_reverse_cp_listbox {lb} {
|
|
+ variable vals
|
|
+
|
|
+ set old_selection [$lb curselection]
|
|
+ set items {}
|
|
+ for {set i 0} {$i < [$lb index end]} {incr i} {
|
|
+ if {[lsearch $old_selection $i] >= 0} {
|
|
+ $lb selection clear $i
|
|
+ } else {
|
|
+ $lb selection set $i
|
|
+ lappend items [$lb get $i]
|
|
+ }
|
|
+ }
|
|
+ set vals(cp:perms_selected) $items
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_update_cp_tabname {name1 name2 op} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable enabled
|
|
+
|
|
+ if {($enabled(cp:classes) && $vals(cp:classes_selected) > 0) || \
|
|
+ ($enabled(cp:perms) && $vals(cp:perms_selected) > 0)} {
|
|
+ $widgets(search_opts) itemconfigure classperms -text "Classes/Permissions *"
|
|
+ } else {
|
|
+ $widgets(search_opts) itemconfigure classperms -text "Classes/Permissions"
|
|
+ }
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_delete_results {pageID} {
|
|
+ variable widgets
|
|
+ variable tabs
|
|
+
|
|
+ # Remove tab and its widgets
|
|
+ set curpos [$widgets(results) index $pageID]
|
|
+ $widgets(results) delete $pageID
|
|
+ array unset tabs $pageID:*
|
|
+ array unset tabs $pageID
|
|
+
|
|
+ # try to raise the next tab
|
|
+ if {[set next_id [$widgets(results) pages $curpos]] != {}} {
|
|
+ _switch_to_tab $next_id
|
|
+ } elseif {$curpos > 0} {
|
|
+ # raise the previous page instead
|
|
+ _switch_to_tab [$widgets(results) pages [expr {$curpos - 1}]]
|
|
+ } else {
|
|
+ # no tabs remaining
|
|
+ $widgets(update) configure -state disabled
|
|
+ }
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_display_rename_tab_dialog {pageID} {
|
|
+ variable widgets
|
|
+ variable tabs
|
|
+
|
|
+ set d [Dialog .apol_te_tab_rename -homogeneous 1 -spacing 2 -cancel 1 \
|
|
+ -default 0 -modal local -parent . -place center -separator 1 \
|
|
+ -side bottom -title "Rename Results Tab"]
|
|
+ $d add -text "OK" -command [list $d enddialog "ok"]
|
|
+ $d add -text "Cancel" -command [list $d enddialog "cancel"]
|
|
+ set f [$d getframe]
|
|
+ set l [label $f.l -text "Tab name:"]
|
|
+ set tabs(tab:new_name) [$widgets(results) itemcget $pageID -text]
|
|
+ set e [entry $f.e -textvariable Apol_Constraint::tabs(tab:new_name) -width 16 -bg white]
|
|
+ pack $l $e -side left -padx 2
|
|
+ set retval [$d draw]
|
|
+ destroy $d
|
|
+ if {$retval == "ok"} {
|
|
+ $widgets(results) itemconfigure $pageID -text $tabs(tab:new_name)
|
|
+ }
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_delete_current_results {} {
|
|
+ variable widgets
|
|
+
|
|
+ if {[set curid [$widgets(results) raise]] != {}} {
|
|
+ _delete_results $curid
|
|
+ }
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_create_new_results_tab {} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable tabs
|
|
+
|
|
+ set i $tabs(next_result_id)
|
|
+ incr tabs(next_result_id)
|
|
+ set id "results$i"
|
|
+ set frame [$widgets(results) insert end "$id" -text "Results $i"]
|
|
+ $widgets(results) raise $id
|
|
+ set tabs($id) [Apol_Widget::makeSearchResults $frame.results]
|
|
+ pack $tabs($id) -expand 1 -fill both
|
|
+
|
|
+ set tabs($id:vals) [array get vals]
|
|
+ return $tabs($id)
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_switch_to_tab {pageID} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable tabs
|
|
+
|
|
+ # check if switching to already visible tab
|
|
+ if {[$Apol_Constraint::widgets(results) raise] == $pageID} {
|
|
+ return
|
|
+ }
|
|
+ $widgets(results) raise $pageID
|
|
+ set cur_search_opts [$widgets(search_opts) raise]
|
|
+
|
|
+ # restore the tab's search criteria
|
|
+ array set tmp_vals $tabs($pageID:vals)
|
|
+ set classes_selected $tmp_vals(cp:classes_selected)
|
|
+ set perms_selected $tmp_vals(cp:perms_selected)
|
|
+ array set vals $tabs($pageID:vals)
|
|
+ _initializeWidgets
|
|
+ set vals(cp:classes_selected) $classes_selected
|
|
+ set vals(cp:perms_selected) $perms_selected
|
|
+ foreach c $classes_selected {
|
|
+ $widgets(cp:classes) selection set [lsearch $vals(cp:classes) $c]
|
|
+ }
|
|
+ foreach p $perms_selected {
|
|
+ $widgets(cp:perms) selection set [lsearch $vals(cp:perms) $p]
|
|
+ }
|
|
+ $widgets(search_opts) raise $cur_search_opts
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Constraint::_reset {} {
|
|
+ variable enabled
|
|
+
|
|
+ set old_classes_enabled $enabled(cp:classes)
|
|
+ _initializeVars
|
|
+ _initializeWidgets
|
|
+ if {[set enabled(cp:classes) $old_classes_enabled]} {
|
|
+ variable vals
|
|
+ set vals(cp:classes) [Apol_Class_Perms::getClasses]
|
|
+ set enabled(cp:classes) 1
|
|
+ set enabled(cp:perms) 1
|
|
+ }
|
|
+}
|
|
+
|
|
+# This is the main constraint search option
|
|
+proc Apol_Constraint::_search_constraints {whichButton} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable enabled
|
|
+ variable tabs
|
|
+ variable statement_count
|
|
+
|
|
+ if {![ApolTop::is_policy_open]} {
|
|
+ tk_messageBox -icon error -type ok -title "Constraint Search" \
|
|
+ -message "No current policy file is opened."
|
|
+ return
|
|
+ }
|
|
+
|
|
+ if { $vals(rs:constrain_enabled) == 0 && \
|
|
+ $vals(rs:mlsconstrain_enabled) == 0 && \
|
|
+ $vals(rs:validatetrans_enabled) == 0 && \
|
|
+ $vals(rs:mlsvalidatetrans_enabled) == 0 } {
|
|
+ tk_messageBox -icon error -type ok -title "Constraint Search" \
|
|
+ -message "At least one constraint must be selected."
|
|
+ return
|
|
+ }
|
|
+
|
|
+ if {$whichButton == "new"} {
|
|
+ set sr [_create_new_results_tab]
|
|
+ } else {
|
|
+ set id [$widgets(results) raise]
|
|
+ set tabs($id:vals) [array get vals]
|
|
+ set sr $tabs($id)
|
|
+ Apol_Widget::clearSearchResults $sr
|
|
+ }
|
|
+
|
|
+ if {$enabled(kta:use_left_expr) && $vals(kta:use_left_expr) && $vals(kta:left_expr) == {}} {
|
|
+ tk_messageBox -icon error -type ok -title "Constraint Search" -message "No left keyword has been selected."
|
|
+ return
|
|
+ }
|
|
+ if {$enabled(kta:use_right_expr) && $vals(kta:use_right_expr) && $vals(kta:right_expr) == {}} {
|
|
+ tk_messageBox -icon error -type ok -title "Constraint Search" -message "No right keyword, type or attribute has been selected."
|
|
+ return
|
|
+ }
|
|
+
|
|
+ set results {}
|
|
+ set header {}
|
|
+
|
|
+ # Check if the statements are enabled for mls/constrain and then get info
|
|
+ if { $vals(rs:constrain_enabled) == 1 } {
|
|
+ append results [Apol_Constraint::_searchForMatch "constrain" "constrain" new_apol_constraint_query_t]
|
|
+ append header "$statement_count constrain rules match the search criteria.\n"
|
|
+ }
|
|
+ if { $vals(rs:mlsconstrain_enabled) == 1 } {
|
|
+ append results [Apol_Constraint::_searchForMatch "mlsconstrain" "constrain" new_apol_constraint_query_t]
|
|
+ append header "$statement_count mlsconstrain rules match the search criteria.\n"
|
|
+ }
|
|
+
|
|
+ # Check if the statements are enabled for mls/validatetrans and then get info
|
|
+ if { $vals(rs:validatetrans_enabled) == 1 } {
|
|
+ append results [Apol_Constraint::_searchForMatch "validatetrans" "validatetrans" new_apol_validatetrans_query_t]
|
|
+ append header "$statement_count validatetrans rules match the search criteria.\n"
|
|
+ }
|
|
+ if { $vals(rs:mlsvalidatetrans_enabled) == 1 } {
|
|
+ append results [Apol_Constraint::_searchForMatch "mlsvalidatetrans" "validatetrans" new_apol_validatetrans_query_t]
|
|
+ append header "$statement_count mlsvalidatetrans match the search criteria.\n"
|
|
+ }
|
|
+
|
|
+ foreach x {new update reset} {
|
|
+ $widgets($x) configure -state disabled
|
|
+ }
|
|
+
|
|
+ Apol_Progress_Dialog::wait "Constraint Rules" "Searching rules" {
|
|
+ Apol_Widget::appendSearchResultText $sr "$header\n"
|
|
+ Apol_Widget::appendSearchResultText $sr $results
|
|
+ }
|
|
+
|
|
+ $widgets(new) configure -state normal
|
|
+ $widgets(reset) configure -state normal
|
|
+ if {[$widgets(results) pages] != {} || $retval == 0} {
|
|
+ $widgets(update) configure -state normal
|
|
+ }
|
|
+ return
|
|
+}
|
|
+
|
|
+
|
|
+# Start here to process constraints
|
|
+proc Apol_Constraint::_searchForMatch {statement family command} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable enabled
|
|
+ variable match_right_type_names
|
|
+ variable statement_count
|
|
+
|
|
+ set statement_count 0
|
|
+ set entries {}
|
|
+
|
|
+ set q [$command]
|
|
+ # This reads in the constraint info
|
|
+ set v [$q run $::ApolTop::policy]
|
|
+ $q -acquire
|
|
+ $q -delete
|
|
+
|
|
+ # This loop will process each constraint in the policy
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ set constrain_type {}
|
|
+ set perm_list {}
|
|
+ set class_list {}
|
|
+ set expr_type {}
|
|
+ set op {}
|
|
+ set sym_type {}
|
|
+
|
|
+ # These are used to check if the search criteria has been met when
|
|
+ # the left or right expression info has been set.
|
|
+ set match_left_keyword_names 0
|
|
+ set match_left_keyword_attr 0
|
|
+ set match_right_keyword_attr 0
|
|
+ set match_right_type_names 0
|
|
+
|
|
+ set q [qpol_constraint_from_void [$v get_element $i]]
|
|
+
|
|
+ # Find if this is an mls rule or not
|
|
+ set x [$q get_expr_iter $::ApolTop::qpolicy]
|
|
+ while {![$x end]} {
|
|
+ foreach t [iter_to_list $x] {
|
|
+ set t [qpol_constraint_expr_node_from_void $t]
|
|
+ # Get Symbol type and save it
|
|
+ set sym_type [$t get_sym_type $::ApolTop::qpolicy]
|
|
+ if { $sym_type >= $::QPOL_CEXPR_SYM_L1L2 } {
|
|
+ set constrain_type "mls"
|
|
+ break
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ append constrain_type $family
|
|
+ $x -acquire
|
|
+ $x -delete
|
|
+
|
|
+ # Check if the statement is the requested type
|
|
+ if { $statement != $constrain_type } {
|
|
+ continue
|
|
+ }
|
|
+
|
|
+ # This gets the class name
|
|
+ set match_class 0
|
|
+ append class_list "\{ "
|
|
+ set class_name [[$q get_class $::ApolTop::qpolicy] get_name $::ApolTop::qpolicy]
|
|
+ append class_list $class_name
|
|
+ append class_list " \}"
|
|
+
|
|
+ # Check if class selected
|
|
+ if {($enabled(cp:classes) && $vals(cp:classes_selected) > 0)} {
|
|
+ foreach c $vals(cp:classes_selected) {
|
|
+ if { $c == $class_name } {
|
|
+ set match_class 1
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ # Skip this constraint if it does not match criteria
|
|
+ if {($match_class == 0 && $vals(cp:classes_selected) > 0)} {
|
|
+ continue
|
|
+ }
|
|
+
|
|
+ # validatetrans does not use permissions
|
|
+ if { $family == "constrain" } {
|
|
+ # This gets perm list:
|
|
+ set x [$q get_perm_iter $::ApolTop::qpolicy]
|
|
+ set match_perm 0
|
|
+ append perm_list "\{ "
|
|
+ foreach perm [iter_to_str_list $x] {
|
|
+ append perm_list "$perm "
|
|
+ # Check if perm selected
|
|
+ if {($enabled(cp:perms) && $vals(cp:perms_selected) > 0)} {
|
|
+ foreach c $vals(cp:perms_selected) {
|
|
+ if { $c == $perm } {
|
|
+ set match_perm 1
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ # Skip this constraint as it does not match criteria
|
|
+ if {($match_perm == 0 && $vals(cp:perms_selected) > 0)} {
|
|
+ continue
|
|
+ }
|
|
+ append perm_list "\}"
|
|
+ $x -acquire
|
|
+ $x -delete
|
|
+ }
|
|
+
|
|
+ # This get expressions
|
|
+ set x [$q get_expr_iter $::ApolTop::qpolicy]
|
|
+
|
|
+ # This contains the number of constraint expr's processed.
|
|
+ set constraint_expr_counter 0
|
|
+ # This is the constraint_expr buffer that is indexed by the
|
|
+ # $constraint_expr_counter
|
|
+ set array constraint_expr_buf($constraint_expr_counter)
|
|
+ array unset constraint_expr_buf
|
|
+
|
|
+ # This loop will process each part of the expression consisting of:
|
|
+ # Operators: !, &&, ||. The ! applies only to an operand.
|
|
+ # Operands/expressions such as: (r1 == r2), (t1 != name)
|
|
+ while {![$x end]} {
|
|
+ foreach t [iter_to_list $x] {
|
|
+ set t [qpol_constraint_expr_node_from_void $t]
|
|
+
|
|
+ # Get Operator and save it
|
|
+ set op [$t get_op $::ApolTop::qpolicy]
|
|
+
|
|
+ # Get Symbol type and save it
|
|
+ set sym_type [$t get_sym_type $::ApolTop::qpolicy]
|
|
+
|
|
+ # Get expression and save it
|
|
+ set expr_type [$t get_expr_type $::ApolTop::qpolicy]
|
|
+
|
|
+ # Now check expression for entry type !, && or ||.
|
|
+ # These are the operators between constraint expressions
|
|
+ if { $expr_type == $::QPOL_CEXPR_TYPE_NOT } {
|
|
+ set constraint_expr_counter [expr $constraint_expr_counter + 1]
|
|
+ append constraint_expr_buf($constraint_expr_counter) "not"
|
|
+ }
|
|
+
|
|
+ if { $expr_type == $::QPOL_CEXPR_TYPE_AND } {
|
|
+ set constraint_expr_counter [expr $constraint_expr_counter + 1]
|
|
+ append constraint_expr_buf($constraint_expr_counter) "and"
|
|
+ }
|
|
+
|
|
+ if { $expr_type == $::QPOL_CEXPR_TYPE_OR } {
|
|
+ set constraint_expr_counter [expr $constraint_expr_counter + 1]
|
|
+ append constraint_expr_buf($constraint_expr_counter) "or"
|
|
+ }
|
|
+
|
|
+ # If the expression is TYPE_ATTR then it's form is (t1 == t2)
|
|
+ if { $expr_type == $::QPOL_CEXPR_TYPE_ATTR } {
|
|
+ set constraint_expr_counter [expr $constraint_expr_counter + 1]
|
|
+
|
|
+ # Get the symbol name, this will be used twice, once
|
|
+ # to retrieve the string name for source entry, then
|
|
+ # the string name for the target entry.
|
|
+ set sym_name [Apol_Constraint::_getSym $sym_type]
|
|
+ append constraint_expr_buf($constraint_expr_counter) "( $sym_name "
|
|
+
|
|
+ # Check if keyword selected
|
|
+ if {$vals(kta:use_left_expr) == 1 && $vals(kta:left_expr) == $sym_name} {
|
|
+ set match_left_keyword_attr 1
|
|
+ }
|
|
+
|
|
+ # Get the operator and change to "eq" if required
|
|
+ set op [$t get_op $::ApolTop::qpolicy]
|
|
+ set op_name [Apol_Constraint::_getOp $op]
|
|
+ if { $op_name == "==" && \
|
|
+ ([string compare -length 1 $sym_name "r"] == 0 || \
|
|
+ [string compare -length 1 $sym_name "l"] == 0 || \
|
|
+ [string compare -length 1 $sym_name "h"] == 0) } {
|
|
+ set op_name "eq"
|
|
+ }
|
|
+ append constraint_expr_buf($constraint_expr_counter) $op_name
|
|
+
|
|
+ # Then using the sym_name again, get the target entry.
|
|
+ set sym_type [expr $sym_type | $::QPOL_CEXPR_SYM_TARGET]
|
|
+ set sym_name [Apol_Constraint::_getSym $sym_type]
|
|
+ append constraint_expr_buf($constraint_expr_counter) " $sym_name )"
|
|
+
|
|
+ # Check if keyword selected
|
|
+ if {$vals(kta:use_right_expr) == 1 && \
|
|
+ $vals(kta:right_expr) == $sym_name && \
|
|
+ $vals(kta:right_expr,right_keyword) == 1} {
|
|
+ set match_right_keyword_attr 1
|
|
+ }
|
|
+ }
|
|
+
|
|
+ # If the expression is TYPE_NAMES then expand the source
|
|
+ # types or attributes using 'get_names_iter'
|
|
+ # Example entries: ( t1 == mlstrustedobject )
|
|
+ # ( t1 != { unconfined_t init_t } )
|
|
+ # Note that if an attribute has been selected it could be
|
|
+ # an empty_set.
|
|
+ if { $expr_type == $::QPOL_CEXPR_TYPE_NAMES } {
|
|
+ set constraint_expr_counter [expr $constraint_expr_counter + 1]
|
|
+
|
|
+ # Get the symbol name, this is only used once to
|
|
+ # to retrieve the string name for source entry.
|
|
+ set sym_name [Apol_Constraint::_getSym $sym_type]
|
|
+ append constraint_expr_buf($constraint_expr_counter) "( $sym_name "
|
|
+
|
|
+ # Check if keyword selected
|
|
+ if {$vals(kta:use_left_expr) == 1 && \
|
|
+ $vals(kta:left_expr) == $sym_name} {
|
|
+ set match_left_keyword_names 1
|
|
+ }
|
|
+
|
|
+ set op [$t get_op $::ApolTop::qpolicy]
|
|
+ set op_name [Apol_Constraint::_getOp $op]
|
|
+ append constraint_expr_buf($constraint_expr_counter) $op_name
|
|
+
|
|
+ # Need to get the number of entries. These can be
|
|
+ # type or attribute identifiers.
|
|
+ set tmp_list {}
|
|
+ set return_list {}
|
|
+ set n [$t get_names_iter $::ApolTop::qpolicy]
|
|
+ set n_size [[$t get_names_iter $::ApolTop::qpolicy] get_size]
|
|
+
|
|
+ # If > 0 then put entries in a tmp_list for later processing.
|
|
+ if { $n_size > 0 } {
|
|
+ foreach name [iter_to_str_list $n] {
|
|
+ append tmp_list "$name "
|
|
+ }
|
|
+ #
|
|
+ # Now check search parameters for the $name entries of
|
|
+ # the right side of the expression. The $tmp_list can
|
|
+ # contain user, role, type or type attribute names
|
|
+ # depending on the initial letter of $sym_name.
|
|
+ #
|
|
+ if { ([string compare -length 1 $sym_name "t"] == 0 && \
|
|
+ $vals(kta:use_right_expr) == 1) && \
|
|
+ ($vals(kta:right_expr,types) == 1 || \
|
|
+ $vals(kta:right_expr,attribs) == 1) } {
|
|
+ # This calls type and attribute processing:
|
|
+ set tmp_list [Apol_Constraint::_process_TA $vals(kta:right_expr) $tmp_list]
|
|
+ } elseif { ($vals(kta:use_right_expr) == 1 && \
|
|
+ $vals(kta:right_expr,roles) == 1 && \
|
|
+ [string compare -length 1 $sym_name "r"] == 0) || \
|
|
+ ($vals(kta:use_right_expr) == 1 && \
|
|
+ $vals(kta:right_expr,users) == 1 && \
|
|
+ [string compare -length 1 $sym_name "u"] == 0) } {
|
|
+ foreach c $tmp_list {
|
|
+ if { $c == $vals(kta:right_expr) } {
|
|
+ set match_right_type_names 1
|
|
+ set tmp_list $name
|
|
+ continue
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ # else if size == 0 then just say an empty set. Also
|
|
+ # check if the requested attribute is an empty set.
|
|
+ } elseif { $n_size == 0 } {
|
|
+ set tmp_list "<empty_set>"
|
|
+ if { [Apol_Constraint::_checkIfEmptyAttr $vals(kta:right_expr)] && \
|
|
+ [string compare -length 1 $sym_name "t"] == 0 } {
|
|
+ set match_right_type_names 1
|
|
+ }
|
|
+ }
|
|
+
|
|
+ # Copy tmp_list to the constraint buffer.
|
|
+ if { [llength $tmp_list] > 1 } {
|
|
+ append constraint_expr_buf($constraint_expr_counter) " \{ $tmp_list\} )"
|
|
+ } else {
|
|
+ append constraint_expr_buf($constraint_expr_counter) " $tmp_list )"
|
|
+ }
|
|
+ $n -acquire
|
|
+ $n -delete
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ $x -acquire
|
|
+ $x -delete
|
|
+ # Done with processing all the expressions, now check if they
|
|
+ # were enabled or not and valid search entries found.
|
|
+ if {($vals(kta:use_left_expr) == 1 && $vals(kta:use_right_expr) == 1) && \
|
|
+ [expr (($match_left_keyword_names | $match_left_keyword_attr) & \
|
|
+ ($match_right_keyword_attr | $match_right_type_names))] == 0} {
|
|
+ continue
|
|
+ }
|
|
+
|
|
+ if {($vals(kta:use_left_expr) == 1 && $vals(kta:use_right_expr) == 0) && \
|
|
+ [expr $match_left_keyword_names | $match_left_keyword_attr] == 0} {
|
|
+ continue
|
|
+ }
|
|
+
|
|
+ if {($vals(kta:use_left_expr) == 0 && $vals(kta:use_right_expr) == 1) && \
|
|
+ ($vals(kta:right_expr,users) == 1 || \
|
|
+ $vals(kta:right_expr,roles) == 1 || \
|
|
+ $vals(kta:right_expr,attribs) == 1 || \
|
|
+ $vals(kta:right_expr,types) == 1 || \
|
|
+ $vals(kta:right_expr,right_keyword) == 1) && \
|
|
+ [expr $match_right_type_names | $match_right_keyword_attr ] == 0} {
|
|
+ continue
|
|
+ }
|
|
+
|
|
+ #
|
|
+ # This takes each entry in the RPN formatted constraint_expr_buf and
|
|
+ # converts to infix format that resembles the constraint string in
|
|
+ # policy language format. It is a modified version from:
|
|
+ # http://rosettacode.org/wiki/Parsing/RPN_to_infix_conversion
|
|
+ #
|
|
+ set stack {}
|
|
+ foreach entry [lsort -integer [array names constraint_expr_buf]] {
|
|
+ set token $constraint_expr_buf($entry)
|
|
+ switch $token {
|
|
+ "not" - "and" - "or" {
|
|
+ lassign [Apol_Constraint::_pop stack] expr2rec expr2
|
|
+ # The ! is not treated the same as && || as it only
|
|
+ # applies to a single expression i.e. !(expression)
|
|
+ # So just pop the stack and add the !. Should there be
|
|
+ # another ! in the expression, then add brackets.
|
|
+ if { $token == "not" } {
|
|
+ set ans [string compare -length 1 $expr2 "not"]
|
|
+ if { $ans == 0 } {
|
|
+ lappend stack [list 1 "$token \($expr2\)"]
|
|
+ } else {
|
|
+ lappend stack [list 1 "$token$expr2"]
|
|
+ }
|
|
+ continue
|
|
+ } else {
|
|
+ lassign [Apol_Constraint::_pop stack] expr1rec expr1
|
|
+ lappend stack [list 1 "$expr1 $token $expr2"]
|
|
+ }
|
|
+ }
|
|
+ default {
|
|
+ lappend stack [list 2 $token]
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ if { [array size constraint_expr_buf] == 1 } {
|
|
+ set expression "[lindex $stack end 1];"
|
|
+ } else {
|
|
+ set expression "([lindex $stack end 1]);"
|
|
+ }
|
|
+ set statement_count [expr $statement_count + 1]
|
|
+ append entries "$constrain_type $class_list $perm_list\n $expression\n\n"
|
|
+ }
|
|
+ return $entries
|
|
+}
|
|
+
|
|
+######### End of search routine - Start supporting procs ################
|
|
+
|
|
+# The pop stack routine for RPN conversion
|
|
+proc Apol_Constraint::_pop {stk} {
|
|
+ upvar 1 $stk s
|
|
+ set val [lindex $s end]
|
|
+ set s [lreplace $s end end]
|
|
+ return $val
|
|
+}
|
|
+
|
|
+
|
|
+# Take an attribute name and expands it to a list of types.
|
|
+proc Apol_Constraint::_renderAttrib {attrib_name} {
|
|
+ set type_list {}
|
|
+ set qpol_type_datum [new_qpol_type_t $::ApolTop::qpolicy $attrib_name]
|
|
+ set i [$qpol_type_datum get_type_iter $::ApolTop::qpolicy]
|
|
+ foreach t [iter_to_list $i] {
|
|
+ set t [qpol_type_from_void $t]
|
|
+ lappend type_list [$t get_name $::ApolTop::qpolicy]
|
|
+ }
|
|
+ if { $type_list == "" } {
|
|
+ lappend type_list "<empty_set>"
|
|
+ }
|
|
+ $i -acquire
|
|
+ $i -delete
|
|
+ return $type_list
|
|
+}
|
|
+
|
|
+
|
|
+# This will return a list of attributes linked to the type_name
|
|
+proc Apol_Constraint::_renderType {type_name} {
|
|
+ set qpol_type_datum [new_qpol_type_t $::ApolTop::qpolicy $type_name]
|
|
+ set aliases {}
|
|
+ set attribs {}
|
|
+
|
|
+ set i [$qpol_type_datum get_alias_iter $::ApolTop::qpolicy]
|
|
+ set aliases [iter_to_str_list $i]
|
|
+ $i -acquire
|
|
+ $i -delete
|
|
+
|
|
+ set i [$qpol_type_datum get_attr_iter $::ApolTop::qpolicy]
|
|
+ foreach a [iter_to_list $i] {
|
|
+ set a [qpol_type_from_void $a]
|
|
+ lappend attribs [$a get_name $::ApolTop::qpolicy]
|
|
+ }
|
|
+ $i -acquire
|
|
+ $i -delete
|
|
+ return $attribs
|
|
+}
|
|
+
|
|
+
|
|
+# Check if the name is a type or attribute.
|
|
+proc Apol_Constraint::_checkTypeOrAttr {name} {
|
|
+ set type_list {}
|
|
+
|
|
+ set qpol_type_datum [new_qpol_type_t $::ApolTop::qpolicy $name]
|
|
+ set x [$qpol_type_datum get_isattr $::ApolTop::qpolicy ]
|
|
+ if { $x == 1 } {
|
|
+ return "attribute"
|
|
+ } else {
|
|
+ return "type"
|
|
+ }
|
|
+ $x -acquire
|
|
+ $x -delete
|
|
+}
|
|
+
|
|
+
|
|
+# Return Left or Right expr keywords
|
|
+proc Apol_Constraint::_getKeywords {side command} {
|
|
+ set list {}
|
|
+ set left_list {}
|
|
+ set right_list {}
|
|
+
|
|
+ set q [$command]
|
|
+ # This reads in the constraint info
|
|
+ set v [$q run $::ApolTop::policy]
|
|
+ $q -acquire
|
|
+ $q -delete
|
|
+
|
|
+ # This loop will process each constraint in the policy
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ set expr_type {}
|
|
+ set sym_type {}
|
|
+ set q [qpol_constraint_from_void [$v get_element $i]]
|
|
+
|
|
+ # This get expressions
|
|
+ set x [$q get_expr_iter $::ApolTop::qpolicy]
|
|
+ while {![$x end]} {
|
|
+ foreach t [iter_to_list $x] {
|
|
+ set t [qpol_constraint_expr_node_from_void $t]
|
|
+ set sym_type [$t get_sym_type $::ApolTop::qpolicy]
|
|
+ set expr_type [$t get_expr_type $::ApolTop::qpolicy]
|
|
+
|
|
+ if { $expr_type == $::QPOL_CEXPR_TYPE_ATTR } {
|
|
+ set sym_name [Apol_Constraint::_getSym $sym_type]
|
|
+ append left_list "$sym_name "
|
|
+ # Then using the sym_name again, get the target entry.
|
|
+ set sym_type [expr $sym_type | $::QPOL_CEXPR_SYM_TARGET]
|
|
+ set sym_name [Apol_Constraint::_getSym $sym_type]
|
|
+ append right_list "$sym_name "
|
|
+ }
|
|
+
|
|
+ if { $expr_type == $::QPOL_CEXPR_TYPE_NAMES } {
|
|
+ set sym_name [Apol_Constraint::_getSym $sym_type]
|
|
+ append left_list "$sym_name "
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ $x -acquire
|
|
+ $x -delete
|
|
+
|
|
+ if {$side == "l"} {
|
|
+ append list $left_list
|
|
+ } else {
|
|
+ append list $right_list
|
|
+ }
|
|
+ }
|
|
+ $v -acquire
|
|
+ $v -delete
|
|
+ return $list
|
|
+}
|
|
+
|
|
+
|
|
+# Here because a type or type_attribute search has been actioned
|
|
+proc Apol_Constraint::_process_TA {name search_list} {
|
|
+ variable match_right_type_names
|
|
+ variable vals
|
|
+
|
|
+ foreach ta $search_list {
|
|
+ if { $ta == $name } {
|
|
+ set match_right_type_names 1
|
|
+ return $search_list
|
|
+ }
|
|
+ }
|
|
+ return $search_list
|
|
+}
|
|
+
|
|
+
|
|
+# Get symbol from expression
|
|
+proc Apol_Constraint::_getSym {sym_type} {
|
|
+ set symbol {}
|
|
+
|
|
+ # These are source for mls/constrain and old for mls/validatetrans
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_USER } {
|
|
+ append symbol "u1"
|
|
+ }
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_ROLE } {
|
|
+ append symbol "r1"
|
|
+ }
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_TYPE } {
|
|
+ append symbol "t1"
|
|
+ }
|
|
+
|
|
+ # These are target for mls/constrain and new for mls/validatetrans
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_USER+$::QPOL_CEXPR_SYM_TARGET } {
|
|
+ append symbol "u2"
|
|
+ }
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_ROLE+$::QPOL_CEXPR_SYM_TARGET } {
|
|
+ append symbol "r2"
|
|
+ }
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_TYPE+$::QPOL_CEXPR_SYM_TARGET } {
|
|
+ append symbol "t2"
|
|
+ }
|
|
+ # These are source for mls/validatetrans
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_USER+$::QPOL_CEXPR_SYM_XTARGET } {
|
|
+ append symbol "u3"
|
|
+ }
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_ROLE+$::QPOL_CEXPR_SYM_XTARGET } {
|
|
+ append symbol "r3"
|
|
+ }
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_TYPE+$::QPOL_CEXPR_SYM_XTARGET } {
|
|
+ append symbol "t3"
|
|
+ }
|
|
+
|
|
+ # Source levels for mlsconstrain and mlsvalidatetrans
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_L1L2 } {
|
|
+ append symbol "l1"
|
|
+ }
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_L1H2 } {
|
|
+ append symbol "l1"
|
|
+ }
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_H1L2 } {
|
|
+ append symbol "h1"
|
|
+ }
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_H1H2 } {
|
|
+ append symbol "h1"
|
|
+ }
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_L1H1 } {
|
|
+ append symbol "l1"
|
|
+ }
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_L2H2 } {
|
|
+ append symbol "l2"
|
|
+ }
|
|
+
|
|
+ # Target levels for mlsconstrain and mlsvalidatetrans
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_L1L2+$::QPOL_CEXPR_SYM_TARGET } {
|
|
+ append symbol "l2"
|
|
+ }
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_L1H2+$::QPOL_CEXPR_SYM_TARGET } {
|
|
+ append symbol "h2"
|
|
+ }
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_H1L2+$::QPOL_CEXPR_SYM_TARGET } {
|
|
+ append symbol "l2"
|
|
+ }
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_H1H2+$::QPOL_CEXPR_SYM_TARGET } {
|
|
+ append symbol "h2"
|
|
+ }
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_L1H1+$::QPOL_CEXPR_SYM_TARGET } {
|
|
+ append symbol "h1"
|
|
+ }
|
|
+ if { $sym_type == $::QPOL_CEXPR_SYM_L2H2+$::QPOL_CEXPR_SYM_TARGET } {
|
|
+ append symbol "h2"
|
|
+ }
|
|
+ if { $symbol == "" } {
|
|
+ append symbol "err_sym_missing"
|
|
+ }
|
|
+ return $symbol
|
|
+}
|
|
+
|
|
+
|
|
+# Get Operator
|
|
+proc Apol_Constraint::_getOp {op} {
|
|
+ set entry {}
|
|
+
|
|
+ if { $op == $::QPOL_CEXPR_OP_EQ } {
|
|
+ append entry "=="
|
|
+ }
|
|
+ if { $op == $::QPOL_CEXPR_OP_NEQ } {
|
|
+ append entry "!="
|
|
+ }
|
|
+ if { $op == $::QPOL_CEXPR_OP_DOM } {
|
|
+ append entry "dom"
|
|
+ }
|
|
+ if { $op == $::QPOL_CEXPR_OP_DOMBY } {
|
|
+ append entry "domby"
|
|
+ }
|
|
+ if { $op == $::QPOL_CEXPR_OP_INCOMP } {
|
|
+ append entry "incomp"
|
|
+ }
|
|
+ if { $entry == "" } {
|
|
+ append entry "op_missing"
|
|
+ }
|
|
+ return $entry
|
|
+}
|
|
+
|
|
diff --git a/apol/default_objects_tab.tcl b/apol/default_objects_tab.tcl
|
|
new file mode 100644
|
|
index 0000000..6cf764b
|
|
--- /dev/null
|
|
+++ b/apol/default_objects_tab.tcl
|
|
@@ -0,0 +1,370 @@
|
|
+# Copyright (C) 2001-2007 Tresys Technology, LLC
|
|
+# This program is free software; you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation; either version 2 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program; if not, write to the Free Software
|
|
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
+
|
|
+namespace eval Apol_DefaultObjects {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable mls_enabled {0}
|
|
+ variable statement_count
|
|
+}
|
|
+
|
|
+proc Apol_DefaultObjects::create {tab_name nb} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+
|
|
+ _initializeVars
|
|
+
|
|
+ set frame [$nb insert end $tab_name -text "Default Object Rules"]
|
|
+ set topf [frame $frame.top]
|
|
+ set bottomf [frame $frame.bottom]
|
|
+ pack $topf -expand 0 -fill both -pady 2
|
|
+ pack $bottomf -expand 1 -fill both -pady 2
|
|
+
|
|
+ set rsbox [TitleFrame $topf.rs -ipad 30 -text "Rule Selection"]
|
|
+ set obox [TitleFrame $topf.opts -text "Search Options"]
|
|
+ set dbox [TitleFrame $bottomf.results -text "Default Object Rules Display"]
|
|
+ pack $rsbox -side left -expand 0 -fill both -padx 2
|
|
+ pack $obox -side left -expand 1 -fill both -padx 2
|
|
+ pack $dbox -expand 1 -fill both -padx 2
|
|
+
|
|
+ # Rule selection subframe
|
|
+ set rs [$rsbox getframe]
|
|
+ checkbutton $rs.default_user -text "default_user" -onvalue 1 -offvalue 0 \
|
|
+ -variable Apol_DefaultObjects::vals(default_user_enabled)
|
|
+ trace add variable Apol_DefaultObjects::vals(default_user_enabled) write \
|
|
+ [list Apol_DefaultObjects::_ruleChanged]
|
|
+ checkbutton $rs.default_role -text "default_role" -onvalue 1 -offvalue 0 \
|
|
+ -variable Apol_DefaultObjects::vals(default_role_enabled)
|
|
+ trace add variable Apol_DefaultObjects::vals(default_role_enabled) write \
|
|
+ [list Apol_DefaultObjects::_ruleChanged]
|
|
+ checkbutton $rs.default_type -text "default_type" -onvalue 1 -offvalue 0 \
|
|
+ -variable Apol_DefaultObjects::vals(default_type_enabled)
|
|
+ trace add variable Apol_DefaultObjects::vals(default_type_enabled) write \
|
|
+ [list Apol_DefaultObjects::_ruleChanged]
|
|
+ checkbutton $rs.default_range -text "default_range" -onvalue 1 -offvalue 0 \
|
|
+ -variable Apol_DefaultObjects::vals(default_range_enabled)
|
|
+ trace add variable Apol_DefaultObjects::vals(default_range_enabled) write \
|
|
+ [list Apol_DefaultObjects::_ruleChanged]
|
|
+ pack $rs.default_user $rs.default_role $rs.default_type $rs.default_range -side top -anchor w
|
|
+
|
|
+ set widgets(options_pm) [PagesManager [$obox getframe].opts]
|
|
+
|
|
+ _defaultObjectCreate [$widgets(options_pm) add default_object]
|
|
+
|
|
+ $widgets(options_pm) compute_size
|
|
+ pack $widgets(options_pm) -expand 1 -fill both -side left
|
|
+ $widgets(options_pm) raise default_object
|
|
+
|
|
+ set ok [button [$obox getframe].ok -text OK -width 6 -command Apol_DefaultObjects::_searchDefaultObjects]
|
|
+ pack $ok -side right -padx 5 -pady 5 -anchor ne
|
|
+
|
|
+ set widgets(results) [Apol_Widget::makeSearchResults [$dbox getframe].results]
|
|
+ pack $widgets(results) -expand yes -fill both
|
|
+
|
|
+ return $frame
|
|
+}
|
|
+
|
|
+proc Apol_DefaultObjects::open {ppath} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable mls_enabled
|
|
+
|
|
+ if {[ApolTop::is_capable "mls"]} {
|
|
+ set mls_enabled 1
|
|
+ } else {
|
|
+ set mls_enabled 0
|
|
+ }
|
|
+
|
|
+ $widgets(default_object:class) configure -values [Apol_Class_Perms::getClasses]
|
|
+ $widgets(default_object:default) configure -values {"source" "target"}
|
|
+ $widgets(default_object:range) configure -values {"low" "high" "low_high"}
|
|
+
|
|
+ set vals(default_range_enabled) $mls_enabled
|
|
+ set vals(default_type_enabled) [ApolTop::is_capable "default_type"]
|
|
+}
|
|
+
|
|
+proc Apol_DefaultObjects::close {} {
|
|
+ variable widgets
|
|
+ variable mls_enabled
|
|
+
|
|
+ _initializeVars
|
|
+ $widgets(default_object:class) configure -values {}
|
|
+ $widgets(default_object:default) configure -values {}
|
|
+ $widgets(default_object:range) configure -values {}
|
|
+ set mls_enabled 0
|
|
+}
|
|
+
|
|
+proc Apol_DefaultObjects::getTextWidget {} {
|
|
+ variable widgets
|
|
+}
|
|
+
|
|
+proc Apol_DefaultObjects::_initializeVars {} {
|
|
+ variable vals
|
|
+
|
|
+ array set vals {
|
|
+ class:use 0
|
|
+ class:sym {}
|
|
+ default:sym {}
|
|
+ default:use 0
|
|
+ range:sym {}
|
|
+ range:use 0
|
|
+
|
|
+ default_user_enabled 1
|
|
+ default_role_enabled 1
|
|
+ default_type_enabled 1
|
|
+ default_range_enabled 0
|
|
+ }
|
|
+}
|
|
+
|
|
+proc Apol_DefaultObjects::_defaultObjectCreate {r_c} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+
|
|
+ set class [frame $r_c.class]
|
|
+ set class_cb [checkbutton $class.enable -text "Object class" \
|
|
+ -variable Apol_DefaultObjects::vals(class:use)]
|
|
+ set widgets(default_object:class) [ComboBox $class.cb -width 20 -state disabled \
|
|
+ -entrybg $ApolTop::default_bg_color \
|
|
+ -textvariable Apol_DefaultObjects::vals(class:sym)]
|
|
+
|
|
+ trace add variable Apol_DefaultObjects::vals(class:use) write \
|
|
+ [list Apol_DefaultObjects::_toggleCheckbutton $widgets(default_object:class) {}]
|
|
+ pack $class_cb -side top -anchor w
|
|
+ pack $widgets(default_object:class) -side top -expand 0 -fill x -padx 4
|
|
+ pack $class -side left -padx 4 -pady 2 -expand 0 -anchor nw
|
|
+
|
|
+ set default [frame $r_c.default]
|
|
+ set widgets(default_object:default_cb) [checkbutton $default.enable -text "Default" \
|
|
+ -variable Apol_DefaultObjects::vals(default:use)]
|
|
+ set widgets(default_object:default) [ComboBox $default.cb -width 20 -state disabled \
|
|
+ -entrybg $ApolTop::default_bg_color \
|
|
+ -textvariable Apol_DefaultObjects::vals(default:sym)]
|
|
+ trace add variable Apol_DefaultObjects::vals(default:use) write \
|
|
+ [list Apol_DefaultObjects::_toggleCheckbutton $widgets(default_object:default) {}]
|
|
+ pack $widgets(default_object:default_cb) -side top -anchor w
|
|
+ pack $widgets(default_object:default) -side top -expand 0 -fill x -padx 4
|
|
+ pack $default -side left -padx 4 -pady 2 -expand 0 -fill y
|
|
+
|
|
+ set range [frame $r_c.range]
|
|
+ set widgets(default_object:range_cb) [checkbutton $range.enable -text "Range" \
|
|
+ -variable Apol_DefaultObjects::vals(range:use)]
|
|
+ set widgets(default_object:range) [ComboBox $range.cb -width 20 -state disabled \
|
|
+ -entrybg $ApolTop::default_bg_color \
|
|
+ -textvariable Apol_DefaultObjects::vals(range:sym)]
|
|
+ trace add variable Apol_DefaultObjects::vals(range:use) write \
|
|
+ [list Apol_DefaultObjects::_toggleCheckbutton $widgets(default_object:range) {}]
|
|
+ pack $widgets(default_object:range_cb) -side top -anchor w
|
|
+ pack $widgets(default_object:range) -side top -expand 0 -fill x -padx 4
|
|
+ pack $range -side left -padx 4 -pady 2 -expand 0 -fill y
|
|
+}
|
|
+
|
|
+proc Apol_DefaultObjects::_toggleCheckbutton {cb w name1 name2 ops} {
|
|
+ variable vals
|
|
+ variable mls_enabled
|
|
+
|
|
+ if {$name2 == "range:use" && $mls_enabled == 0 || $vals(default_range_enabled) == 0} {
|
|
+ set vals(range:use) 0
|
|
+ $cb configure -state disabled
|
|
+ }
|
|
+
|
|
+ if {$vals($name2)} {
|
|
+ $cb configure -state normal -entrybg white
|
|
+ foreach x $w {
|
|
+ $x configure -state normal
|
|
+ }
|
|
+ } else {
|
|
+ $cb configure -state disabled -entrybg $ApolTop::default_bg_color
|
|
+ foreach x $w {
|
|
+ $x configure -state disabled
|
|
+ }
|
|
+ }
|
|
+}
|
|
+
|
|
+proc Apol_DefaultObjects::_ruleChanged {name1 name2 ops} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ Apol_Widget::clearSearchResults $widgets(results)
|
|
+
|
|
+ if {$vals(default_user_enabled) == 0} {
|
|
+ set vals(user:use) 0
|
|
+ }
|
|
+ if {$vals(default_role_enabled) == 0} {
|
|
+ set vals(role:use) 0
|
|
+ }
|
|
+ if {$vals(default_type_enabled) == 0} {
|
|
+ set vals(type:use) 0
|
|
+ }
|
|
+ if {$vals(default_range_enabled) == 0} {
|
|
+ set vals(range:use) 0
|
|
+ }
|
|
+}
|
|
+
|
|
+proc Apol_DefaultObjects::_searchDefaultObjects {} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable statement_count
|
|
+
|
|
+ Apol_Widget::clearSearchResults $widgets(results)
|
|
+ if {![ApolTop::is_policy_open]} {
|
|
+ tk_messageBox -icon error -type ok -title "Error" -message "No current policy file is opened."
|
|
+ }
|
|
+
|
|
+ if {$vals(class:use) == 1 && $vals(class:sym) == {}} {
|
|
+ tk_messageBox -icon error -type ok -title "Default object Rule Search" -message "No class selected."
|
|
+ return
|
|
+ }
|
|
+ if {$vals(default:use) == 1 && $vals(default:sym) == {}} {
|
|
+ tk_messageBox -icon error -type ok -title "Default object Rule Search" -message "No default selected."
|
|
+ return
|
|
+ }
|
|
+ if {$vals(range:use) == 1 && $vals(range:sym) == {}} {
|
|
+ tk_messageBox -icon error -type ok -title "Default object Rule Search" -message "No range selected."
|
|
+ return
|
|
+ }
|
|
+
|
|
+ set results {}
|
|
+ set header {}
|
|
+ set print_results {}
|
|
+
|
|
+ if {$vals(default_user_enabled) == 1} {
|
|
+ append results [Apol_DefaultObjects::searchForDefault "user" get_user_default]
|
|
+ append header "$statement_count default_user rules match the search criteria.\n"
|
|
+ }
|
|
+ if {$vals(default_role_enabled) == 1} {
|
|
+ append results [Apol_DefaultObjects::searchForDefault "role" get_role_default]
|
|
+ append header "$statement_count default_role rules match the search criteria.\n"
|
|
+ }
|
|
+ if {$vals(default_type_enabled) == 1} {
|
|
+ append results [Apol_DefaultObjects::searchForDefault "type" get_type_default]
|
|
+ append header "$statement_count default_type rules match the search criteria.\n"
|
|
+ }
|
|
+ if {$vals(default_range_enabled) == 1} {
|
|
+ append results [Apol_DefaultObjects::searchDefaultRange "range" get_range_default]
|
|
+ append header "$statement_count default_range rules match the search criteria.\n"
|
|
+ }
|
|
+ append print_results "$header\n$results"
|
|
+ Apol_Widget::appendSearchResultText $widgets(results) $print_results
|
|
+}
|
|
+
|
|
+proc Apol_DefaultObjects::searchForDefault {type type_cmd} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable statement_count
|
|
+ set results {}
|
|
+ set printit 0
|
|
+ set class_regexp 0
|
|
+ set default_regexp 0
|
|
+ set statement_count 0
|
|
+
|
|
+ if {$vals(class:use)} {
|
|
+ set class_regexp 1
|
|
+ }
|
|
+ if {$vals(default:use)} {
|
|
+ set default_regexp 1
|
|
+ }
|
|
+
|
|
+ set q [new_apol_default_object_query_t]
|
|
+ set v [$q run $::ApolTop::policy]
|
|
+ $q -acquire
|
|
+ $q -delete
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ set q [qpol_default_object_from_void [$v get_element $i]]
|
|
+ set class [$q get_class $::ApolTop::qpolicy]
|
|
+ set default [$q $type_cmd $::ApolTop::qpolicy]
|
|
+ if {$default != ""} {
|
|
+ if {$class_regexp == 1 && $class == $vals(class:sym) && $default_regexp == 1 && $default == $vals(default:sym)} {
|
|
+ set printit 1
|
|
+ } elseif {$class_regexp == 1 && $class == $vals(class:sym) && $default_regexp == 0} {
|
|
+ set printit 1
|
|
+ } elseif {$default_regexp == 1 && $default == $vals(default:sym) && $class_regexp == 0} {
|
|
+ set printit 1
|
|
+ } elseif {$class_regexp == 0 && $default_regexp == 0} {
|
|
+ set printit 1
|
|
+ }
|
|
+ if {$printit == 1} {
|
|
+ append results "default_$type $class $default;\n"
|
|
+ set statement_count [expr $statement_count + 1]
|
|
+ }
|
|
+ }
|
|
+ set printit 0
|
|
+ }
|
|
+ }
|
|
+ return "$results\n"
|
|
+}
|
|
+
|
|
+proc Apol_DefaultObjects::searchDefaultRange {type type_cmd} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable statement_count
|
|
+ set results {}
|
|
+ set printit 0
|
|
+ set class_regexp 0
|
|
+ set default_regexp 0
|
|
+ set range_regexp 0
|
|
+ set statement_count 0
|
|
+
|
|
+ if {$vals(class:use)} {
|
|
+ set class_regexp 1
|
|
+ }
|
|
+ if {$vals(default:use)} {
|
|
+ set default_regexp 1
|
|
+ }
|
|
+ if {$vals(range:use)} {
|
|
+ set range_regexp 1
|
|
+ }
|
|
+
|
|
+ set q [new_apol_default_object_query_t]
|
|
+ set v [$q run $::ApolTop::policy]
|
|
+ $q -acquire
|
|
+ $q -delete
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ set q [qpol_default_object_from_void [$v get_element $i]]
|
|
+ set class [$q get_class $::ApolTop::qpolicy]
|
|
+ set default [$q $type_cmd $::ApolTop::qpolicy]
|
|
+ if {$default != ""} {
|
|
+ # split into the two components
|
|
+ set entries [split $default " "]
|
|
+ lassign $entries src_tgt range
|
|
+
|
|
+ if {$class_regexp == 1 && $class == $vals(class:sym) && $default_regexp == 1 && \
|
|
+ $src_tgt== $vals(default:sym) && $range_regexp == 1 && $range == $vals(range:sym)} {
|
|
+ set printit 1
|
|
+ } elseif {$class_regexp == 1 && $class == $vals(class:sym) && $default_regexp == 0 && $range_regexp == 0} {
|
|
+ set printit 1
|
|
+ } elseif {$class_regexp == 0 && $default_regexp == 1 && $src_tgt == $vals(default:sym) && $range_regexp == 0} {
|
|
+ set printit 1
|
|
+ } elseif {$class_regexp == 0 && $default_regexp == 0 && $range_regexp == 1 && $range == $vals(range:sym)} {
|
|
+ set printit 1
|
|
+ } elseif {$class_regexp == 0 && $default_regexp == 1 && $src_tgt == $vals(default:sym) && \
|
|
+ $range_regexp == 1 && $range == $vals(range:sym)} {
|
|
+ set printit 1
|
|
+ } elseif {$class_regexp == 1 && $class == $vals(class:sym) && $default_regexp == 0 && \
|
|
+ $range_regexp == 1 && $range == $vals(range:sym)} {
|
|
+ set printit 1
|
|
+ } elseif {$class_regexp == 0 && $default_regexp == 0 && $range_regexp == 0} {
|
|
+ set printit 1
|
|
+ }
|
|
+ if {$printit == 1} {
|
|
+ append results "default_$type $class $default;\n"
|
|
+ set statement_count [expr $statement_count + 1]
|
|
+ }
|
|
+ }
|
|
+ set printit 0
|
|
+ }
|
|
+ }
|
|
+ return "$results\n"
|
|
+}
|
|
diff --git a/apol/initial_sids_tab.tcl b/apol/initial_sids_tab.tcl
|
|
index ff81a32..356a45a 100644
|
|
--- a/apol/initial_sids_tab.tcl
|
|
+++ b/apol/initial_sids_tab.tcl
|
|
@@ -110,7 +110,7 @@ proc Apol_Initial_SIDS::_search {} {
|
|
$q set_context $::ApolTop::policy $context $range_match
|
|
}
|
|
|
|
- set v [$q run $::ApolTop::policy] #line causing segfaulting
|
|
+ set v [$q run $::ApolTop::policy]
|
|
|
|
$q -acquire
|
|
$q -delete
|
|
diff --git a/apol/namespaces_tab.tcl b/apol/namespaces_tab.tcl
|
|
new file mode 100644
|
|
index 0000000..da8a1af
|
|
--- /dev/null
|
|
+++ b/apol/namespaces_tab.tcl
|
|
@@ -0,0 +1,206 @@
|
|
+# Copyright (C) 2001-2007 Tresys Technology, LLC
|
|
+# This program is free software; you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation; either version 2 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program; if not, write to the Free Software
|
|
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
+
|
|
+namespace eval Apol_Namespaces {
|
|
+ variable widgets
|
|
+ variable namespace_list {}
|
|
+}
|
|
+
|
|
+proc Apol_Namespaces::create {tab_name nb} {
|
|
+ variable widgets
|
|
+ variable namespace_list {}
|
|
+
|
|
+ set frame [$nb insert end $tab_name -text "Policy Namespaces"]
|
|
+ set pw [PanedWindow $frame.pw -side top]
|
|
+ set leftf [$pw add -weight 0]
|
|
+ set rightf [$pw add -weight 1]
|
|
+ pack $pw -fill both -expand yes
|
|
+
|
|
+ set namespaces_box [TitleFrame $leftf.namespaces_box -text "Policy Namespaces"]
|
|
+ pack $namespaces_box -fill both -expand yes
|
|
+
|
|
+ set nlistbox [Apol_Widget::makeScrolledListbox [$namespaces_box getframe].lb \
|
|
+ -width 60 -listvar Apol_Namespaces::namespace_list]
|
|
+ Apol_Widget::setListboxCallbacks $nlistbox \
|
|
+ {{"Show Namespace Users, Roles, Types, Attributes and Classes Info" {Apol_Namespaces::popupNsInfo nfi}}}
|
|
+ pack $nlistbox -expand 1 -fill both
|
|
+ pack $nlistbox -fill both -expand yes
|
|
+
|
|
+ return $frame
|
|
+}
|
|
+
|
|
+proc Apol_Namespaces::open {ppath} {
|
|
+ variable namespace_list {}
|
|
+
|
|
+ append list1 "$Apol_Users::users_list $Apol_Roles::role_list $Apol_Types::typelist $Apol_Types::attriblist $Apol_Class_Perms::class_list"
|
|
+ set names [split $list1 " "]
|
|
+ # Split on the ns separator, chop off the end entry then add "." back
|
|
+ set list1 {}
|
|
+ foreach n $names {
|
|
+ set ns [split $n "."]
|
|
+ set ns [lreplace $ns end end]
|
|
+ set l [string length $ns]
|
|
+ if {$l > 0} {
|
|
+ regsub -all " " $ns "." ns
|
|
+ lappend list1 "$ns"
|
|
+ }
|
|
+ }
|
|
+ set list2 {}
|
|
+ set namespace_list "GLOBAL-NS\n"
|
|
+ lappend list2 [lsort -dictionary -unique $list1]
|
|
+
|
|
+ foreach entry $list2 {
|
|
+ append namespace_list "$entry\n"
|
|
+ }
|
|
+}
|
|
+
|
|
+proc Apol_Namespaces::close {} {
|
|
+ variable namespace_list {}
|
|
+
|
|
+ set namespace_list {}
|
|
+}
|
|
+
|
|
+proc Apol_Namespaces::getTextWidget {} {
|
|
+ variable widgets
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_Namespaces::popupNsInfo {which ns} {
|
|
+
|
|
+ set w .ns_infobox
|
|
+ destroy $w
|
|
+
|
|
+ set w [Dialog .ns_infobox -cancel 0 -default 0 -modal none -parent . -separator 1 -title $ns]
|
|
+ $w add -text "Close" -command [list destroy $w]
|
|
+
|
|
+ set notebook [NoteBook [$w getframe].nb]
|
|
+ pack $notebook -expand 1 -fill both
|
|
+
|
|
+ set user_info_tab [$notebook insert end user_info_tab -text "Users"]
|
|
+ set role_info_tab [$notebook insert end role_info_tab -text "Roles"]
|
|
+ set type_info_tab [$notebook insert end type_info_tab -text "Types"]
|
|
+ set attrib_info_tab [$notebook insert end attrib_info_tab -text "Attributes"]
|
|
+ set class_info_tab [$notebook insert end class_info_tab -text "Classes"]
|
|
+ set boolean_info_tab [$notebook insert end boolean_info_tab -text "Booleans"]
|
|
+
|
|
+ if {[ApolTop::is_capable "mls"]} {
|
|
+ set sensitivity_info_tab [$notebook insert end sensitivity_info_tab -text "Sensitivities"]
|
|
+ set category_info_tab [$notebook insert end category_info_tab -text "Categories"]
|
|
+ }
|
|
+
|
|
+ # Display users
|
|
+ set sw [ScrolledWindow [$notebook getframe user_info_tab].sw -scrollbar both -auto both]
|
|
+ set user_text [text [$sw getframe].text -wrap none -font {helvetica 10} -bg white]
|
|
+ $sw setwidget $user_text
|
|
+ pack $sw -expand 1 -fill both
|
|
+ Apol_Namespaces::DisplayMatches $Apol_Users::users_list $user_text $ns "users"
|
|
+
|
|
+ # Display roles
|
|
+ set sw [ScrolledWindow [$notebook getframe role_info_tab].sw -scrollbar both -auto both]
|
|
+ set role_text [text [$sw getframe].text -wrap none -font {helvetica 10} -bg white]
|
|
+ $sw setwidget $role_text
|
|
+ pack $sw -expand 1 -fill both
|
|
+ Apol_Namespaces::DisplayMatches $Apol_Roles::role_list $role_text $ns "roles"
|
|
+
|
|
+ # Display types
|
|
+ set sw [ScrolledWindow [$notebook getframe type_info_tab].sw -scrollbar both -auto both]
|
|
+ set type_text [text [$sw getframe].text -wrap none -font {helvetica 10} -bg white]
|
|
+ $sw setwidget $type_text
|
|
+ pack $sw -expand 1 -fill both
|
|
+ Apol_Namespaces::DisplayMatches $Apol_Types::typelist $type_text $ns "types"
|
|
+
|
|
+ # Display attributes
|
|
+ set sw [ScrolledWindow [$notebook getframe attrib_info_tab].sw -scrollbar both -auto both]
|
|
+ set attrib_text [text [$sw getframe].text -wrap none -font {helvetica 10} -bg white]
|
|
+ $sw setwidget $attrib_text
|
|
+ pack $sw -expand 1 -fill both
|
|
+ Apol_Namespaces::DisplayMatches $Apol_Types::attriblist $attrib_text $ns "attributes"
|
|
+
|
|
+ # Display classes
|
|
+ set sw [ScrolledWindow [$notebook getframe class_info_tab].sw -scrollbar both -auto both]
|
|
+ set class_text [text [$sw getframe].text -wrap none -font {helvetica 10} -bg white]
|
|
+ $sw setwidget $class_text
|
|
+ pack $sw -expand 1 -fill both
|
|
+ Apol_Namespaces::DisplayMatches $Apol_Class_Perms::class_list $class_text $ns "classes"
|
|
+
|
|
+ # Display booleans
|
|
+ set sw [ScrolledWindow [$notebook getframe boolean_info_tab].sw -scrollbar both -auto both]
|
|
+ set boolean_text [text [$sw getframe].text -wrap none -font {helvetica 10} -bg white]
|
|
+ $sw setwidget $boolean_text
|
|
+ pack $sw -expand 1 -fill both
|
|
+ Apol_Namespaces::DisplayMatches $Apol_Cond_Bools::cond_bools_list $boolean_text $ns "booleans"
|
|
+
|
|
+ if {[ApolTop::is_capable "mls"]} {
|
|
+ # Display sensitivities
|
|
+ set sw [ScrolledWindow [$notebook getframe sensitivity_info_tab].sw -scrollbar both -auto both]
|
|
+ set sensitivity_text [text [$sw getframe].text -wrap none -font {helvetica 10} -bg white]
|
|
+ $sw setwidget $sensitivity_text
|
|
+ pack $sw -expand 1 -fill both
|
|
+ Apol_Namespaces::DisplayMatches $Apol_MLS::vals(senslist) $sensitivity_text $ns "sensitivities"
|
|
+
|
|
+ # Display categories
|
|
+ set sw [ScrolledWindow [$notebook getframe category_info_tab].sw -scrollbar both -auto both]
|
|
+ set category_text [text [$sw getframe].text -wrap none -font {helvetica 10} -bg white]
|
|
+ $sw setwidget $category_text
|
|
+ pack $sw -expand 1 -fill both
|
|
+ Apol_Namespaces::DisplayMatches $Apol_MLS::vals(catslist) $category_text $ns "categories"
|
|
+ }
|
|
+
|
|
+ $notebook raise [$notebook page 0]
|
|
+ $w draw {} 0 600x400
|
|
+}
|
|
+
|
|
+proc Apol_Namespaces::DisplayMatches {item_list display_entry ns text} {
|
|
+ set counter 0
|
|
+ set print_list {}
|
|
+
|
|
+ if {$ns == "GLOBAL-NS"} {
|
|
+ set ns {}
|
|
+ set off_set 0
|
|
+ } else {
|
|
+ set off_set 1
|
|
+ }
|
|
+ # Get len of the ns selected
|
|
+ set l [string length $ns]
|
|
+ #For each entry check if in this ns
|
|
+ foreach t $item_list {
|
|
+ set i [string compare -length $l $t $ns]
|
|
+ # kludge to get round a problem.
|
|
+ # If $z is same as $ns, but no . in $t then ignore as $t just
|
|
+ # happens to begin with a match to $ns. So reset $i
|
|
+ set z [string range $t 0 $l-1]
|
|
+ if {![regexp -nocase {[.]} $t] && $z == $ns && $ns != ""} {
|
|
+ set i 1
|
|
+ }
|
|
+
|
|
+ if {$i == 0} {
|
|
+ set x [string range $t $l+$off_set end]
|
|
+ if {![regexp -nocase {[.]} $x]} {
|
|
+ append print_list " $x\n"
|
|
+ set counter [expr $counter + 1]
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ if {$counter == 0} {
|
|
+ $display_entry insert end "No entries\n"
|
|
+ } else {
|
|
+ if {$ns == ""} {
|
|
+ set ns "global"
|
|
+ }
|
|
+ $display_entry insert end "$ns namespace ($counter $text)\n$print_list"
|
|
+ }
|
|
+ $display_entry configure -state disabled
|
|
+
|
|
+}
|
|
diff --git a/apol/polcap_tab.tcl b/apol/polcap_tab.tcl
|
|
new file mode 100644
|
|
index 0000000..dfeade4
|
|
--- /dev/null
|
|
+++ b/apol/polcap_tab.tcl
|
|
@@ -0,0 +1,73 @@
|
|
+# Copyright (C) 2001-2007 Tresys Technology, LLC
|
|
+# This program is free software; you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation; either version 2 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program; if not, write to the Free Software
|
|
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
+
|
|
+namespace eval Apol_Polcaps {
|
|
+ variable widgets
|
|
+ variable polcap_list {}
|
|
+}
|
|
+
|
|
+proc Apol_Polcaps::create {tab_name nb} {
|
|
+ variable widgets
|
|
+
|
|
+ set frame [$nb insert end $tab_name -text "Policy Capabilities"]
|
|
+ set pw [PanedWindow $frame.pw -side top]
|
|
+ set leftf [$pw add -weight 0]
|
|
+ set rightf [$pw add -weight 1]
|
|
+ pack $pw -fill both -expand yes
|
|
+
|
|
+ set polcap_box [TitleFrame $leftf.polcap_box -text "Policy Capabilities"]
|
|
+ pack $polcap_box -fill both -expand yes
|
|
+
|
|
+ set rlistbox [Apol_Widget::makeScrolledListbox [$polcap_box getframe].lb \
|
|
+ -width 60 -listvar Apol_Polcaps::polcap_list]
|
|
+ pack $rlistbox -fill both -expand yes
|
|
+
|
|
+ return $frame
|
|
+}
|
|
+
|
|
+proc Apol_Polcaps::open {ppath} {
|
|
+ variable polcap_list
|
|
+
|
|
+ set polcapnames {}
|
|
+ set q [new_apol_polcap_query_t]
|
|
+ # This reads in the polcap info
|
|
+ set v [$q run $::ApolTop::policy]
|
|
+ $q -acquire
|
|
+ $q -delete
|
|
+ # This loop will process polcap name in the policy
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ set q [qpol_polcap_from_void [$v get_element $i]]
|
|
+ append polcapnames [$q get_name $::ApolTop::qpolicy]
|
|
+ append polcapnames "\n"
|
|
+ }
|
|
+ }
|
|
+
|
|
+ set polcap_list $polcapnames
|
|
+}
|
|
+
|
|
+proc Apol_Polcaps::close {} {
|
|
+ variable widgets
|
|
+ variable polcap_list {}
|
|
+}
|
|
+
|
|
+proc Apol_Polcaps::getTextWidget {} {
|
|
+ variable widgets
|
|
+}
|
|
+
|
|
+#### private functions below ####
|
|
+
|
|
+
|
|
+
|
|
diff --git a/apol/policyconf.tcl b/apol/policyconf.tcl
|
|
index 8f7e9c1..161f959 100644
|
|
--- a/apol/policyconf.tcl
|
|
+++ b/apol/policyconf.tcl
|
|
@@ -63,7 +63,9 @@ proc Apol_PolicyConf::open {ppath} {
|
|
$textbox fakedelete 0.0 end
|
|
if {![ApolTop::is_capable "source"]} {
|
|
$textbox fakeinsert end "The currently loaded policy is not a source policy."
|
|
+ ApolTop::_toplevel_enable_tabs tag_source disabled
|
|
} else {
|
|
+ ApolTop::_toplevel_enable_tabs tag_source normal
|
|
set primary_file [$ppath get_primary]
|
|
if {[catch {::open $primary_file r} f]} {
|
|
$textbox fakeinsert end "$primary_file does not exist or could not be read by the user."
|
|
diff --git a/apol/terules_tab.tcl b/apol/terules_tab.tcl
|
|
index c5a490f..266d670 100644
|
|
--- a/apol/terules_tab.tcl
|
|
+++ b/apol/terules_tab.tcl
|
|
@@ -93,6 +93,7 @@ proc Apol_TE::create {tab_name nb} {
|
|
|
|
_createTypesAttribsTab
|
|
_createClassesPermsTab
|
|
+ _createFilenameTab
|
|
|
|
# Action buttons
|
|
set widgets(new) [button $abox.new -text "New Search" -width 12 \
|
|
@@ -138,6 +139,7 @@ proc Apol_TE::open {ppath} {
|
|
set vals(cp:classes) [Apol_Class_Perms::getClasses]
|
|
set enabled(cp:classes) 1
|
|
set enabled(cp:perms) 1
|
|
+ set vals(ta:use_filename) 0
|
|
}
|
|
|
|
proc Apol_TE::close {} {
|
|
@@ -252,6 +254,7 @@ proc Apol_TE::_initializeVars {} {
|
|
ta:source_sym,types $::APOL_QUERY_SYMBOL_IS_TYPE \
|
|
ta:target_sym,types $::APOL_QUERY_SYMBOL_IS_TYPE \
|
|
ta:default_sym,types $::APOL_QUERY_SYMBOL_IS_TYPE \
|
|
+ ta:filename,files 1 \
|
|
]
|
|
|
|
array set vals {
|
|
@@ -273,6 +276,10 @@ proc Apol_TE::_initializeVars {} {
|
|
ta:default_sym,attribs 0
|
|
ta:default_sym {}
|
|
|
|
+ ta:use_filename 0
|
|
+ ta:filename {}
|
|
+ ta:filename,files 0
|
|
+
|
|
cp:classes {}
|
|
cp:classes_selected {}
|
|
cp:perms {}
|
|
@@ -286,6 +293,7 @@ proc Apol_TE::_initializeVars {} {
|
|
ta:use_source 1
|
|
ta:use_target 1
|
|
ta:use_default 1
|
|
+ ta:use_filename 1
|
|
|
|
cp:classes 0
|
|
cp:perms 0
|
|
@@ -535,6 +543,156 @@ proc Apol_TE::_toggle_ta_pushed {col cb} {
|
|
}
|
|
}
|
|
|
|
+proc Apol_TE::_createFilenameTab {} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable enabled
|
|
+
|
|
+ set fn_tab [$widgets(search_opts) insert end filename -text "Filename"]
|
|
+ set fm_filename [frame $fn_tab.filename]
|
|
+ grid $fm_filename -padx 4 -sticky ewns
|
|
+ foreach i {0 1 2} {
|
|
+ grid columnconfigure $fn_tab $i -weight 1 -uniform 1
|
|
+ }
|
|
+ grid rowconfigure $fn_tab 0 -weight 1
|
|
+
|
|
+ set widgets(ta:use_filename) [checkbutton $fm_filename.use -text "type_transition filename" \
|
|
+ -onvalue 1 -offvalue 0 -variable Apol_TE::vals(ta:use_filename)]
|
|
+ pack $widgets(ta:use_filename) -side top -anchor w
|
|
+
|
|
+ trace add variable Apol_TE::vals(ta:use_filename) write \
|
|
+ [list Apol_TE::_toggle_fn_box filename]
|
|
+
|
|
+ set w {}
|
|
+
|
|
+ set helptext "Select a filename - Note: no search using regular expr"
|
|
+
|
|
+ set widgets(ta:filename_sym) [ComboBox $fm_filename.sym \
|
|
+ -state normal -entrybg $ApolTop::default_bg_color \
|
|
+ -textvariable Apol_TE::vals(ta:filename_sym) \
|
|
+ -helptext $helptext -autopost 1]
|
|
+ pack $widgets(ta:filename_sym) -expand 0 -fill x -padx 8
|
|
+ lappend w $widgets(ta:filename_sym)
|
|
+
|
|
+ set widgets(ta:filename_widgets) $w
|
|
+ trace add variable Apol_TE::enabled(ta:use_filename) write \
|
|
+ [list Apol_TE::_maybe_enable_filename filename]
|
|
+
|
|
+ trace add variable Apol_TE::vals(ta:filename,files) write \
|
|
+ [list Apol_TE::_toggle_FileNames filename]
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_TE::_toggle_fn_box {col name1 name2 op} {
|
|
+ variable vals
|
|
+ variable enabled
|
|
+ variable widgets
|
|
+
|
|
+ if {$enabled(ta:use_${col})} {
|
|
+ $widgets(ta:use_${col}) configure -state normal
|
|
+ } else {
|
|
+ $widgets(ta:use_${col}) configure -state disabled
|
|
+ }
|
|
+ if {$enabled(ta:use_${col}) && $vals(ta:use_${col})} {
|
|
+ foreach w $widgets(ta:${col}_widgets) {
|
|
+ $w configure -state normal
|
|
+ }
|
|
+ $widgets(ta:${col}_sym) configure -entrybg white
|
|
+ } else {
|
|
+ foreach w $widgets(ta:${col}_widgets) {
|
|
+ $w configure -state disabled
|
|
+ }
|
|
+ $widgets(ta:${col}_sym) configure -entrybg $ApolTop::default_bg_color
|
|
+ }
|
|
+
|
|
+ # update this tab's name if one of the columns is enabled and used
|
|
+ if {($enabled(ta:use_${col}) && $vals(ta:use_${col}))} { \
|
|
+ $widgets(search_opts) itemconfigure filename -text "Filename *"
|
|
+ } else {
|
|
+ $widgets(search_opts) itemconfigure filename -text "Filename"
|
|
+ }
|
|
+}
|
|
+
|
|
+proc Apol_TE::_maybe_enable_filename {col name1 name2 op} {
|
|
+ variable vals
|
|
+ variable enabled
|
|
+ variable widgets
|
|
+
|
|
+ set typerule_set 0
|
|
+
|
|
+ foreach x {type_transition} {
|
|
+ if {$vals(rs:$x)} {
|
|
+ set typerule_set 1
|
|
+ break
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if {$typerule_set && [ApolTop::is_capable "filename_trans"]} {
|
|
+ set enabled(ta:use_filename) 1
|
|
+ } else {
|
|
+ set enabled(ta:use_filename) 0
|
|
+ }
|
|
+
|
|
+ set enabled(ta:use_${col}) $enabled(ta:use_${col})
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_TE::_toggle_FileNames {col name1 name2 op} {
|
|
+ variable vals
|
|
+ variable widgets
|
|
+ variable enabled
|
|
+
|
|
+ if {![ApolTop::is_policy_open]} {
|
|
+ return
|
|
+ }
|
|
+
|
|
+ set items [lsort -unique -dictionary [Apol_TE::Get_FileNames]]
|
|
+ $widgets(ta:${col}_sym) configure -values $items
|
|
+}
|
|
+
|
|
+proc Apol_TE::Get_FileNames {} {
|
|
+ set filenames {}
|
|
+ set q [new_apol_filename_trans_query_t]
|
|
+ # This reads in the filename_trans info
|
|
+ set v [$q run $::ApolTop::policy]
|
|
+ $q -acquire
|
|
+ $q -delete
|
|
+ # This loop will process each filename_trans in the policy
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ set q [qpol_filename_trans_from_void [$v get_element $i]]
|
|
+ lappend filenames [$q get_filename $::ApolTop::qpolicy]
|
|
+ }
|
|
+ }
|
|
+ return $filenames
|
|
+}
|
|
+
|
|
+
|
|
+proc Apol_TE::appendFilenameSearchResultRules {path indent rule_list cast filename} {
|
|
+ set curstate [$path.tb cget -state]
|
|
+ $path.tb configure -state normal
|
|
+
|
|
+ variable enabled
|
|
+ variable vals
|
|
+ set num_rules 0
|
|
+
|
|
+ if { $vals(ta:use_filename) == 0} {
|
|
+ set filename ""
|
|
+ }
|
|
+
|
|
+ for {set i 0} {$i < [$rule_list get_size]} {incr i} {
|
|
+ set rule [$cast [$rule_list get_element $i]]
|
|
+ if {$filename == "" || [$rule get_filename $::ApolTop::qpolicy] == $filename} {
|
|
+ $path.tb insert end [string repeat " " $indent]
|
|
+ $path.tb insert end [apol_filename_trans_render $::ApolTop::policy $rule]
|
|
+ incr num_rules
|
|
+ $path.tb insert end "\n"
|
|
+ }
|
|
+ }
|
|
+ $path.tb configure -state $curstate
|
|
+ list $num_rules $num_rules 0
|
|
+}
|
|
+
|
|
# code to create and handle the classe/permissions subtab
|
|
|
|
proc Apol_TE::_createClassesPermsTab {} {
|
|
@@ -875,10 +1033,13 @@ proc Apol_TE::_search_terules {whichButton} {
|
|
return
|
|
}
|
|
if {$enabled(ta:use_default) && $vals(ta:use_default) && $vals(ta:default_sym) == {}} {
|
|
-
|
|
tk_messageBox -icon error -type ok -title "TE Rule Search" -message "No default type selected."
|
|
return
|
|
}
|
|
+ if {$enabled(ta:use_filename) && $vals(ta:use_filename) && $vals(ta:filename_sym) == {}} {
|
|
+ tk_messageBox -icon error -type ok -title "TE Rule Search" -message "No filename selected."
|
|
+ return
|
|
+ }
|
|
|
|
set avrule_selection 0
|
|
foreach {key value} [array get vals rs:avrule_*] {
|
|
@@ -896,6 +1057,7 @@ proc Apol_TE::_search_terules {whichButton} {
|
|
# start building queries
|
|
set avq [new_apol_avrule_query_t]
|
|
set teq [new_apol_terule_query_t]
|
|
+ set fnteq [new_apol_filename_trans_query_t]
|
|
|
|
if {$enabled(ta:use_source) && $vals(ta:use_source)} {
|
|
if {$vals(ta:source_which) == "either"} {
|
|
@@ -905,21 +1067,28 @@ proc Apol_TE::_search_terules {whichButton} {
|
|
$avq set_source_component $::ApolTop::policy [expr {$vals(ta:source_sym,types) | $vals(ta:source_sym,attribs)}]
|
|
$teq set_source $::ApolTop::policy $vals(ta:source_sym) $vals(ta:source_indirect)
|
|
$teq set_source_component $::ApolTop::policy [expr {$vals(ta:source_sym,types) | $vals(ta:source_sym,attribs)}]
|
|
+ $fnteq set_source $::ApolTop::policy $vals(ta:source_sym) $vals(ta:source_indirect)
|
|
}
|
|
if {$enabled(ta:use_target) && $vals(ta:use_target)} {
|
|
$avq set_target $::ApolTop::policy $vals(ta:target_sym) $vals(ta:target_indirect)
|
|
$avq set_target_component $::ApolTop::policy [expr {$vals(ta:target_sym,types) | $vals(ta:target_sym,attribs)}]
|
|
$teq set_target $::ApolTop::policy $vals(ta:target_sym) $vals(ta:target_indirect)
|
|
$teq set_target_component $::ApolTop::policy [expr {$vals(ta:target_sym,types) | $vals(ta:target_sym,attribs)}]
|
|
+ $fnteq set_target $::ApolTop::policy $vals(ta:target_sym) $vals(ta:target_indirect)
|
|
}
|
|
if {$enabled(ta:use_default) && $vals(ta:use_default)} {
|
|
$teq set_default $::ApolTop::policy $vals(ta:default_sym)
|
|
+ $fnteq set_default $::ApolTop::policy $vals(ta:default_sym)
|
|
+ }
|
|
+ if {$enabled(ta:use_filename) && $vals(ta:use_filename)} {
|
|
+ $fnteq set_filename $::ApolTop::policy $vals(ta:filename_sym)
|
|
}
|
|
|
|
if {$enabled(cp:classes)} {
|
|
foreach c $vals(cp:classes_selected) {
|
|
$avq append_class $::ApolTop::policy $c
|
|
$teq append_class $::ApolTop::policy $c
|
|
+ $fnteq append_class $::ApolTop::policy $c
|
|
}
|
|
}
|
|
if {$enabled(cp:perms)} {
|
|
@@ -935,6 +1104,7 @@ proc Apol_TE::_search_terules {whichButton} {
|
|
$teq set_enabled $::ApolTop::policy $vals(oo:enabled)
|
|
$avq set_regex $::ApolTop::policy $vals(oo:regexp)
|
|
$teq set_regex $::ApolTop::policy $vals(oo:regexp)
|
|
+ $fnteq set_regex $::ApolTop::policy $vals(oo:regexp)
|
|
|
|
foreach x {new update reset} {
|
|
$widgets($x) configure -state disabled
|
|
@@ -952,16 +1122,20 @@ proc Apol_TE::_search_terules {whichButton} {
|
|
{
|
|
set numTEs {0 0 0}
|
|
set numAVs {0 0 0}
|
|
+ set numFNTEs {0 0 0}
|
|
set avresults NULL
|
|
set teresults NULL
|
|
+ set fnteresults NULL
|
|
set num_avresults 0
|
|
set num_teresults 0
|
|
+ set num_fnteresults 0
|
|
if {![ApolTop::is_capable "syntactic rules"]} {
|
|
if {$avrule_selection != 0} {
|
|
set avresults [$avq run $::ApolTop::policy]
|
|
}
|
|
if {$terule_selection != 0} {
|
|
set teresults [$teq run $::ApolTop::policy]
|
|
+ set fnteresults [$fnteq run $::ApolTop::policy]
|
|
}
|
|
} else {
|
|
$::ApolTop::qpolicy build_syn_rule_table
|
|
@@ -972,11 +1146,16 @@ proc Apol_TE::_search_terules {whichButton} {
|
|
set teresults [$teq run_syn $::ApolTop::policy]
|
|
}
|
|
}
|
|
+ if {$terule_selection != 0} {
|
|
+ set fnteresults [$fnteq run $::ApolTop::policy]
|
|
+ }
|
|
|
|
$avq -acquire
|
|
$avq -delete
|
|
$teq -acquire
|
|
$teq -delete
|
|
+ $fnteq -acquire
|
|
+ $fnteq -delete
|
|
if {$avresults != "NULL"} {
|
|
set num_avresults [$avresults get_size]
|
|
}
|
|
@@ -984,6 +1163,10 @@ proc Apol_TE::_search_terules {whichButton} {
|
|
set num_teresults [$teresults get_size]
|
|
}
|
|
|
|
+ if {$fnteresults != "NULL"} {
|
|
+ set num_fnteresults [$fnteresults get_size]
|
|
+ }
|
|
+
|
|
if {$whichButton == "new"} {
|
|
set sr [_create_new_results_tab]
|
|
} else {
|
|
@@ -1014,7 +1197,21 @@ proc Apol_TE::_search_terules {whichButton} {
|
|
set numTEs [Apol_Widget::appendSearchResultSynRules $sr 0 $teresults qpol_syn_terule_from_void]
|
|
}
|
|
}
|
|
- set num_rules [expr {[lindex $numAVs 0] + [lindex $numTEs 0]}]
|
|
+
|
|
+ if { $vals(ta:use_filename) == 1 && $vals(ta:use_source) == 0 && $vals(ta:use_target) == 0 && $vals(ta:use_default) == 0} {
|
|
+ Apol_Widget::clearSearchResults $sr
|
|
+ set numTEs {0 0 0}
|
|
+ set numAVs {0 0 0}
|
|
+ }
|
|
+
|
|
+ if {$vals(rs:type_transition) != 0} {
|
|
+ apol_tcl_set_info_string $::ApolTop::policy "Rendering $num_fnteresults Filename TE rule results"
|
|
+ if {$num_fnteresults > 0} {
|
|
+ set numFNTEs [Apol_TE::appendFilenameSearchResultRules $sr 0 $fnteresults qpol_filename_trans_from_void $vals(ta:filename_sym)]
|
|
+ }
|
|
+ }
|
|
+
|
|
+ set num_rules [expr {[lindex $numAVs 0] + [lindex $numTEs 0] + [lindex $numFNTEs 0]}]
|
|
set num_enabled [expr {[lindex $numAVs 1] + [lindex $numTEs 1]}]
|
|
set num_disabled [expr {[lindex $numAVs 2] + [lindex $numTEs 2]}]
|
|
set header "$num_rules rule"
|
|
diff --git a/apol/top.tcl b/apol/top.tcl
|
|
index f930318..a267dde 100644
|
|
--- a/apol/top.tcl
|
|
+++ b/apol/top.tcl
|
|
@@ -18,8 +18,9 @@ set COPYRIGHT_INFO "Copyright (C) 2001-2008 Tresys Technology, LLC"
|
|
namespace eval ApolTop {
|
|
variable policy {} ;# handle to an apol_policy, or {} if none opened
|
|
variable qpolicy {} ;# handle to policy's qpol_policy_t, or {} if none opened
|
|
- # these three are shown on the status line of the toplevel window
|
|
+ # these four are shown on the status line of the toplevel window
|
|
variable policy_version_string {}
|
|
+ variable policy_handle_unknown_string {}
|
|
variable policy_source_linenum {}
|
|
variable policy_stats_summary {}
|
|
variable policy_stats ;# array of statistics for the current policy
|
|
@@ -68,10 +69,15 @@ namespace eval ApolTop {
|
|
{Apol_Initial_SIDS components {}}
|
|
{Apol_NetContexts components {}}
|
|
{Apol_FSContexts components {}}
|
|
+ {Apol_Polcaps components {tag_polcap}}
|
|
+ {Apol_Namespaces components {}}
|
|
{Apol_TE rules {tag_query_saveable}}
|
|
{Apol_Cond_Rules rules {tag_conditionals}}
|
|
+ {Apol_Constraint rules {tag_query_saveable}}
|
|
{Apol_RBAC rules {}}
|
|
{Apol_Range rules {tag_mls}}
|
|
+ {Apol_Bounds rules {tag_bounds}}
|
|
+ {Apol_DefaultObjects rules {tag_default_objects}}
|
|
{Apol_File_Contexts {} {}}
|
|
{Apol_Analysis {} {tag_query_saveable}}
|
|
{Apol_PolicyConf {} {tag_source}}
|
|
@@ -108,6 +114,12 @@ proc ApolTop::is_capable {capability} {
|
|
"neverallow" { set cap $::QPOL_CAP_NEVERALLOW }
|
|
"source" { set cap $::QPOL_CAP_SOURCE }
|
|
"syntactic rules" { set cap $::QPOL_CAP_SYN_RULES }
|
|
+ "polcap" { set cap $::QPOL_CAP_POLCAPS }
|
|
+ "bounds" { set cap $::QPOL_CAP_BOUNDS }
|
|
+ "default_objects" { set cap $::QPOL_CAP_DEFAULT_OBJECTS }
|
|
+ "default_type" { set cap $::QPOL_CAP_DEFAULT_TYPE }
|
|
+ "permissive" { set cap $::QPOL_CAP_PERMISSIVE }
|
|
+ "filename_trans" { set cap $::QPOL_CAP_FILENAME_TRANS }
|
|
default { return 0 }
|
|
}
|
|
variable qpolicy
|
|
@@ -368,6 +380,15 @@ proc ApolTop::_toplevel_policy_open {ppath} {
|
|
if {![is_capable "source"]} {
|
|
_toplevel_enable_tabs tag_source disabled
|
|
}
|
|
+ if {![is_capable "polcap"]} {
|
|
+ _toplevel_enable_tabs tag_polcap disabled
|
|
+ }
|
|
+ if {![is_capable "bounds"]} {
|
|
+ _toplevel_enable_tabs tag_bounds disabled
|
|
+ }
|
|
+ if {![is_capable "default_objects"]} {
|
|
+ _toplevel_enable_tabs tag_default_objects disabled
|
|
+ }
|
|
_toplevel_tab_switched
|
|
|
|
variable mainframe
|
|
@@ -376,6 +397,23 @@ proc ApolTop::_toplevel_policy_open {ppath} {
|
|
|
|
_toplevel_update_stats
|
|
variable policy_version_string [$::ApolTop::policy get_version_type_mls_str]
|
|
+# Set how to handle unknown class/perms.
|
|
+#define SEPOL_DENY_UNKNOWN 0
|
|
+#define SEPOL_REJECT_UNKNOWN 2
|
|
+#define SEPOL_ALLOW_UNKNOWN 4
|
|
+ variable policy_handle_unknown_string
|
|
+ set policy_handle_unknown -1
|
|
+ set policy_handle_unknown [$::ApolTop::policy get_policy_handle_unknown]
|
|
+
|
|
+ if {$policy_handle_unknown == 0} {
|
|
+ set policy_handle_unknown_string "deny"
|
|
+ } elseif {$policy_handle_unknown == 2} {
|
|
+ set policy_handle_unknown_string "reject"
|
|
+ } elseif {$policy_handle_unknown == 4} {
|
|
+ set policy_handle_unknown_string "allow"
|
|
+ } else {
|
|
+ set policy_handle_unknown_string "unknown"
|
|
+ }
|
|
|
|
set primary_file [$ppath get_primary]
|
|
wm title . "SELinux Policy Analysis - $primary_file"
|
|
@@ -457,6 +495,9 @@ proc ApolTop::_toplevel_update_stats {} {
|
|
"sens" get_level_iter
|
|
"cats" get_cat_iter
|
|
"range_trans" get_range_trans_iter
|
|
+ "constraints" get_constraint_iter
|
|
+ "validatetrans" get_validatetrans_iter
|
|
+ "filename_trans" get_filename_trans_iter
|
|
|
|
"sids" get_isid_iter
|
|
"portcons" get_portcon_iter
|
|
@@ -464,6 +505,8 @@ proc ApolTop::_toplevel_update_stats {} {
|
|
"nodecons" get_nodecon_iter
|
|
"genfscons" get_genfscon_iter
|
|
"fs_uses" get_fs_use_iter
|
|
+ "permissive" get_permissive_iter
|
|
+ "polcap" get_polcap_iter
|
|
}
|
|
foreach {key func} $iter_funcs {
|
|
set i [$::ApolTop::qpolicy $func]
|
|
@@ -518,6 +561,109 @@ proc ApolTop::_toplevel_update_stats {} {
|
|
$i -delete
|
|
}
|
|
|
|
+ # Determine number of mlsconstrain and mlsvalidatetrans rules and
|
|
+ # recalculate the numbers accordingly.
|
|
+ if {[ApolTop::is_capable "mls"]} {
|
|
+ set mlsconstrain_count [ApolTop::_get_mls_count new_apol_constraint_query_t]
|
|
+ set policy_stats(constraints) [expr $policy_stats(constraints) - $mlsconstrain_count]
|
|
+ set policy_stats(mlsconstraints) $mlsconstrain_count
|
|
+
|
|
+ set mlsvalidatetrans_count [ApolTop::_get_mls_count new_apol_validatetrans_query_t]
|
|
+ set policy_stats(validatetrans) [expr $policy_stats(validatetrans) - $mlsvalidatetrans_count]
|
|
+ set policy_stats(mlsvalidatetrans) $mlsvalidatetrans_count
|
|
+ } else {
|
|
+ set policy_stats(mlsconstraints) 0
|
|
+ set policy_stats(mlsvalidatetrans) 0
|
|
+ }
|
|
+
|
|
+ # Determine number of bounds statements
|
|
+ set policy_stats(userbounds) 0
|
|
+ set policy_stats(rolebounds) 0
|
|
+ set policy_stats(typebounds) 0
|
|
+
|
|
+ if {[is_capable "bounds"]} {
|
|
+ # Determine number of userbounds statements
|
|
+ set q [new_apol_userbounds_query_t]
|
|
+ set v [$q run $::ApolTop::policy]
|
|
+ $q -acquire
|
|
+ $q -delete
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ set q [qpol_userbounds_from_void [$v get_element $i]]
|
|
+ set parent [$q get_parent_name $::ApolTop::qpolicy]
|
|
+ if {$parent != ""} {
|
|
+ set policy_stats(userbounds) [expr $policy_stats(userbounds) + 1]
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ # Determine number of rolebounds statements
|
|
+ set q [new_apol_rolebounds_query_t]
|
|
+ set v [$q run $::ApolTop::policy]
|
|
+ $q -acquire
|
|
+ $q -delete
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ set q [qpol_rolebounds_from_void [$v get_element $i]]
|
|
+ set parent [$q get_parent_name $::ApolTop::qpolicy]
|
|
+ if {$parent != ""} {
|
|
+ set policy_stats(rolebounds) [expr $policy_stats(rolebounds) + 1]
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ # Determine number of typebounds statements
|
|
+ set q [new_apol_typebounds_query_t]
|
|
+ set v [$q run $::ApolTop::policy]
|
|
+ $q -acquire
|
|
+ $q -delete
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ set q [qpol_typebounds_from_void [$v get_element $i]]
|
|
+ set parent [$q get_parent_name $::ApolTop::qpolicy]
|
|
+ if {$parent != ""} {
|
|
+ set policy_stats(typebounds) [expr $policy_stats(typebounds) + 1]
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ # Determine number of default_object statements
|
|
+ set policy_stats(default_user) 0
|
|
+ set policy_stats(default_role) 0
|
|
+ set policy_stats(default_type) 0
|
|
+ set policy_stats(default_range) 0
|
|
+
|
|
+ if {[is_capable "default_objects"]} {
|
|
+ set q [new_apol_default_object_query_t]
|
|
+ set v [$q run $::ApolTop::policy]
|
|
+ $q -acquire
|
|
+ $q -delete
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ set q [qpol_default_object_from_void [$v get_element $i]]
|
|
+ set default [$q get_user_default $::ApolTop::qpolicy]
|
|
+ if {$default != ""} {
|
|
+ set policy_stats(default_user) [expr $policy_stats(default_user) + 1]
|
|
+ }
|
|
+ set default [$q get_role_default $::ApolTop::qpolicy]
|
|
+ if {$default != ""} {
|
|
+ set policy_stats(default_role) [expr $policy_stats(default_role) + 1]
|
|
+ }
|
|
+ if {[is_capable "default_type"]} {
|
|
+ set default [$q get_type_default $::ApolTop::qpolicy]
|
|
+ if {$default != ""} {
|
|
+ set policy_stats(default_type) [expr $policy_stats(default_type) + 1]
|
|
+ }
|
|
+ }
|
|
+ set default [$q get_range_default $::ApolTop::qpolicy]
|
|
+ if {$default != ""} {
|
|
+ set policy_stats(default_range) [expr $policy_stats(default_range) + 1]
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
set policy_stats_summary ""
|
|
append policy_stats_summary "Classes: $policy_stats(classes) "
|
|
append policy_stats_summary "Perms: $policy_stats(perms) "
|
|
@@ -551,6 +697,7 @@ proc ApolTop::_user_close_policy {} {
|
|
|
|
proc ApolTop::_close_policy {} {
|
|
variable policy_version_string {}
|
|
+ variable policy_handle_unknown {}
|
|
variable policy_stats_summary {}
|
|
|
|
wm title . "SELinux Policy Analysis"
|
|
@@ -579,7 +726,9 @@ proc ApolTop::_close_policy {} {
|
|
|
|
_toplevel_enable_tabs tag_conditionals normal
|
|
_toplevel_enable_tabs tag_mls normal
|
|
- _toplevel_enable_tabs tag_source normal
|
|
+ _toplevel_enable_tabs tag_polcap normal
|
|
+ _toplevel_enable_tabs tag_bounds normal
|
|
+ _toplevel_enable_tabs tag_default_objects normal
|
|
}
|
|
|
|
proc ApolTop::_exit {} {
|
|
@@ -678,6 +827,7 @@ proc ApolTop::_save_query_file {} {
|
|
|
|
proc ApolTop::_show_policy_summary {} {
|
|
variable policy_version_string
|
|
+ variable policy_handle_unknown_string
|
|
variable policy_stats
|
|
|
|
if {![regexp -- {^([^\(]+) \(([^,]+), ([^\)]+)} $ApolTop::policy_version_string -> policy_version policy_type policy_mls_type]} {
|
|
@@ -696,8 +846,8 @@ proc ApolTop::_show_policy_summary {} {
|
|
|
|
label $w.title -text "Policy Summary Statistics"
|
|
set f [frame $w.summary]
|
|
- label $f.l -justify left -text " Policy Version:\n Policy Type:\n MLS Status:"
|
|
- label $f.r -justify left -text "$policy_version\n$policy_type\n$policy_mls_type"
|
|
+ label $f.l -justify left -text " Policy Version:\n Policy Type:\n MLS Status:\n Handle unknown Class/Perms:"
|
|
+ label $f.r -justify left -text "$policy_version\n$policy_type\n$policy_mls_type\n$policy_handle_unknown_string"
|
|
grid $f.l $f.r -sticky w
|
|
grid configure $f.r -padx 30
|
|
grid $w.title - -sticky w -padx 8
|
|
@@ -714,6 +864,8 @@ proc ApolTop::_show_policy_summary {} {
|
|
}
|
|
"Number of Types and Attributes" {
|
|
"Types" types
|
|
+ " that includes permissive types" permissive
|
|
+ " that includes bounded types" typebounds
|
|
"Attributes" attribs
|
|
}
|
|
"Number of Type Enforcement Rules" {
|
|
@@ -722,16 +874,24 @@ proc ApolTop::_show_policy_summary {} {
|
|
"dontaudits" avrule_dontaudit
|
|
"neverallows" avrule_neverallow
|
|
"type_transitions" type_trans
|
|
+ "type_transitions - filename" filename_trans
|
|
"type_members" type_member
|
|
"type_changes" type_change
|
|
}
|
|
"Number of Roles" {
|
|
"Roles" roles
|
|
+ " that includes bounded roles" rolebounds
|
|
}
|
|
"Number of RBAC Rules" {
|
|
"allows" role_allow
|
|
"role_transitions" role_trans
|
|
}
|
|
+ "Number of Default Object Rules" {
|
|
+ "default_user" default_user
|
|
+ "default_role" default_role
|
|
+ "default_type" default_type
|
|
+ "default_range" default_range
|
|
+ }
|
|
} {
|
|
set ltext "$title:"
|
|
set rtext {}
|
|
@@ -754,16 +914,23 @@ proc ApolTop::_show_policy_summary {} {
|
|
foreach {title block} {
|
|
"Number of Users" {
|
|
"Users" users
|
|
+ " that includes bounded users" userbounds
|
|
}
|
|
"Number of Booleans" {
|
|
"Booleans" bools
|
|
}
|
|
+ "Number of Constraints" {
|
|
+ "constrain" constraints
|
|
+ "validatetrans" validatetrans
|
|
+ }
|
|
"Number of MLS Components" {
|
|
"Sensitivities" sens
|
|
"Categories" cats
|
|
}
|
|
"Number of MLS Rules" {
|
|
"range_transitions" range_trans
|
|
+ "mlsconstrain" mlsconstraints
|
|
+ "mlsvalidatetrans" mlsvalidatetrans
|
|
}
|
|
"Number of Initial SIDs" {
|
|
"SIDs" sids
|
|
@@ -775,6 +942,9 @@ proc ApolTop::_show_policy_summary {} {
|
|
"GenFSCons" genfscons
|
|
"fs_use statements" fs_uses
|
|
}
|
|
+ "Number of Policy Capabilities" {
|
|
+ "polcap" polcap
|
|
+ }
|
|
} {
|
|
set ltext "$title:"
|
|
set rtext {}
|
|
@@ -1067,6 +1237,41 @@ proc ApolTop::_write_configuration_file {} {
|
|
close $f
|
|
}
|
|
|
|
+# This will work out how many mlsconstrain and mlsvalidatetrans rules
|
|
+# there are as the get_iter numbers are overall count.
|
|
+proc ApolTop::_get_mls_count {command} {
|
|
+
|
|
+ set q [$command]
|
|
+ # This reads in the constraint info
|
|
+ set v [$q run $::ApolTop::policy]
|
|
+ $q -acquire
|
|
+ $q -delete
|
|
+
|
|
+ set mls_count 0
|
|
+
|
|
+ # This loop will process each constraint in the policy
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ set q [qpol_constraint_from_void [$v get_element $i]]
|
|
+
|
|
+ # Find if this is an mls rule or not
|
|
+ set x [$q get_expr_iter $::ApolTop::qpolicy]
|
|
+ while {![$x end]} {
|
|
+ foreach t [iter_to_list $x] {
|
|
+ set t [qpol_constraint_expr_node_from_void $t]
|
|
+ # Get Symbol type
|
|
+ set sym_type [$t get_sym_type $::ApolTop::qpolicy]
|
|
+ if { $sym_type >= $::QPOL_CEXPR_SYM_L1L2 } {
|
|
+ set mls_count [expr $mls_count + 1]
|
|
+ break
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ $x -acquire
|
|
+ $x -delete
|
|
+ }
|
|
+ return $mls_count
|
|
+}
|
|
+
|
|
#######################################################
|
|
# Start script here
|
|
|
|
diff --git a/apol/types_tab.tcl b/apol/types_tab.tcl
|
|
index 26def34..fed82fa 100644
|
|
--- a/apol/types_tab.tcl
|
|
+++ b/apol/types_tab.tcl
|
|
@@ -60,7 +60,8 @@ proc Apol_Types::create {tab_name nb} {
|
|
set ofm [$obox getframe]
|
|
set fm_types_select [frame $ofm.to]
|
|
set fm_attribs_select [frame $ofm.ao]
|
|
- pack $fm_types_select $fm_attribs_select -side left -padx 4 -pady 2 -anchor nw
|
|
+ set fm_permissive_bounds [frame $ofm.po]
|
|
+ pack $fm_types_select $fm_attribs_select $fm_permissive_bounds -side left -padx 4 -pady 2 -anchor nw
|
|
|
|
set types_select [checkbutton $fm_types_select.type -text "Show types" -variable Apol_Types::opts(types)]
|
|
set typeattribs [checkbutton $fm_types_select.typeattribs -text "Include attributes" \
|
|
@@ -81,6 +82,18 @@ proc Apol_Types::create {tab_name nb} {
|
|
trace add variable Apol_Types::opts(attribs) write \
|
|
[list Apol_Types::_toggleCheckbuttons [list $a_typeattribs $a_types]]
|
|
|
|
+ set permissive_select [checkbutton $fm_permissive_bounds.type -text "Show permissive types" \
|
|
+ -variable Apol_Types::opts(permissive)]
|
|
+ pack $permissive_select -anchor w
|
|
+ trace add variable Apol_Types::opts(permissive:show_names) write \
|
|
+ [list Apol_Types::_toggleCheckbuttons $permissive_select]
|
|
+
|
|
+ set typebounds_select [checkbutton $fm_permissive_bounds.bounds -text "Show typebounds rules" \
|
|
+ -variable Apol_Types::opts(typebounds)]
|
|
+ pack $typebounds_select -anchor w
|
|
+ trace add variable Apol_Types::opts(typebounds:show_names) write \
|
|
+ [list Apol_Types::_toggleCheckbuttons $typebounds_select]
|
|
+
|
|
set widgets(regexp) [Apol_Widget::makeRegexpEntry $ofm.regexpf]
|
|
Apol_Widget::setRegexpEntryState $widgets(regexp) 1
|
|
|
|
@@ -96,6 +109,11 @@ proc Apol_Types::create {tab_name nb} {
|
|
}
|
|
|
|
proc Apol_Types::open {ppath} {
|
|
+ variable opts
|
|
+
|
|
+ set opts(permissive:show_names) [ApolTop::is_capable "permissive"]
|
|
+ set opts(typebounds:show_names) [ApolTop::is_capable "bounds"]
|
|
+
|
|
set q [new_apol_type_query_t]
|
|
set v [$q run $::ApolTop::policy]
|
|
$q -acquire
|
|
@@ -180,12 +198,15 @@ proc Apol_Types::_initializeVars {} {
|
|
array set opts {
|
|
types 1 types:show_attribs 1 types:show_aliases 1
|
|
attribs 0 attribs:show_types 1 attribs:show_attribs 1
|
|
+ permissive 1 permissive:show_names 0
|
|
+ typebounds 1 typebounds:show_names 0
|
|
}
|
|
}
|
|
|
|
proc Apol_Types::_toggleCheckbuttons {w name1 name2 op} {
|
|
variable opts
|
|
variable widgets
|
|
+
|
|
if {$opts($name2)} {
|
|
foreach x $w {
|
|
$x configure -state normal
|
|
@@ -195,7 +216,7 @@ proc Apol_Types::_toggleCheckbuttons {w name1 name2 op} {
|
|
$x configure -state disabled
|
|
}
|
|
}
|
|
- if {!$opts(types) && !$opts(attribs)} {
|
|
+ if {!$opts(types) && !$opts(attribs) && !$opts(typebounds)} {
|
|
Apol_Widget::setRegexpEntryState $widgets(regexp) 0
|
|
} else {
|
|
Apol_Widget::setRegexpEntryState $widgets(regexp) 1
|
|
@@ -210,7 +231,6 @@ proc Apol_Types::_popupTypeInfo {which ta} {
|
|
set entry_vector {}
|
|
set index_file_loaded 0
|
|
}
|
|
-
|
|
if {$which == "type"} {
|
|
set info_ta [_renderType $ta 1 1]
|
|
} else {
|
|
@@ -283,7 +303,7 @@ proc Apol_Types::_searchTypes {} {
|
|
tk_messageBox -icon error -type ok -title "Error" -message "No current policy file is opened."
|
|
return
|
|
}
|
|
- if {$opts(types) == 0 && $opts(attribs) == 0} {
|
|
+ if {$opts(types) == 0 && $opts(attribs) == 0 && $opts(permissive) == 0 && $opts(typebounds) == 0} {
|
|
tk_messageBox -icon error -type ok -title "Error" -message "No search options provided."
|
|
return
|
|
}
|
|
@@ -332,6 +352,52 @@ proc Apol_Types::_searchTypes {} {
|
|
append results "[_renderAttrib $a $opts(attribs:show_types) $opts(attribs:show_attribs)]\n"
|
|
}
|
|
}
|
|
+ if {$opts(permissive) && [ApolTop::is_capable "permissive"]} {
|
|
+ set q [new_apol_permissive_query_t]
|
|
+ $q set_name $::ApolTop::policy $regexp
|
|
+ $q set_regex $::ApolTop::policy $use_regexp
|
|
+ set v [$q run $::ApolTop::policy]
|
|
+ $q -acquire
|
|
+ $q -delete
|
|
+ set permissive_data [type_vector_to_list $v]
|
|
+ $v -acquire
|
|
+ $v -delete
|
|
+ if {$opts(types) || $opts(attribs)} {
|
|
+ append results "\n\n"
|
|
+ }
|
|
+ append results "PERMISSIVE TYPES ([llength $permissive_data]):\n\n"
|
|
+ foreach p [lsort $permissive_data] {
|
|
+ append results "[_renderType $p 0 0]\n"
|
|
+ }
|
|
+ }
|
|
+ if {$opts(typebounds) && [ApolTop::is_capable "bounds"]} {
|
|
+ set bounds {}
|
|
+ set counter 0
|
|
+
|
|
+ set q [new_apol_typebounds_query_t]
|
|
+ $q set_name $::ApolTop::policy $regexp
|
|
+ $q set_regex $::ApolTop::policy $use_regexp
|
|
+
|
|
+ set v [$q run $::ApolTop::policy]
|
|
+ $q -acquire
|
|
+ $q -delete
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} {
|
|
+ set q [qpol_typebounds_from_void [$v get_element $i]]
|
|
+ set parent [$q get_parent_name $::ApolTop::qpolicy]
|
|
+ if {$parent != ""} {
|
|
+ append bounds "typebounds $parent "
|
|
+ append bounds "[$q get_child_name $::ApolTop::qpolicy];\n"
|
|
+ set counter [expr $counter + 1]
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ if {$opts(types) || $opts(attribs) || $opts(permissive)} {
|
|
+ append results "\n\n"
|
|
+ }
|
|
+ append results "BOUNDED TYPES ($counter):\n\n"
|
|
+ append results "$bounds\n"
|
|
+ }
|
|
Apol_Widget::appendSearchResultText $widgets(results) $results
|
|
}
|
|
|
|
@@ -369,6 +435,9 @@ proc Apol_Types::_renderType {type_name show_attribs show_aliases} {
|
|
}
|
|
|
|
proc Apol_Types::_renderAttrib {attrib_name show_types show_attribs} {
|
|
+
|
|
+ set permissive {}
|
|
+
|
|
set qpol_type_datum [new_qpol_type_t $::ApolTop::qpolicy $attrib_name]
|
|
|
|
set text "$attrib_name"
|
|
diff --git a/configure.ac b/configure.ac
|
|
index 577ce48..ae20da7 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -25,9 +25,9 @@ libseaudit_version=4.5
|
|
setoolsdir='${prefix}/share/setools-3.3'
|
|
javadir='${prefix}/share/java'
|
|
|
|
-version_min_sepol_major=1
|
|
-version_min_sepol_minor=12
|
|
-version_min_sepol_patch=27
|
|
+version_min_sepol_major=2
|
|
+version_min_sepol_minor=4
|
|
+version_min_sepol_patch=0
|
|
|
|
dnl *** end of tunable values ***
|
|
|
|
@@ -548,6 +548,36 @@ int main () {
|
|
fi
|
|
fi
|
|
|
|
+dnl check for constraint names, added in libsepol version ??
|
|
+AC_CHECK_DECL([POLICYDB_VERSION_CONSTRAINT_NAMES],
|
|
+ sepol_new_constraint_names="yes",
|
|
+ sepol_new_constraint_names="no",
|
|
+ [#include <sepol/policydb/policydb.h>])
|
|
+
|
|
+dnl check for default object type, added in libsepol version ??
|
|
+AC_CHECK_DECL([POLICYDB_VERSION_DEFAULT_TYPE],
|
|
+ sepol_new_default_type="yes",
|
|
+ sepol_new_default_type="no",
|
|
+ [#include <sepol/policydb/policydb.h>])
|
|
+
|
|
+dnl check for default object user/role/range added in libsepol version ??
|
|
+AC_CHECK_DECL([POLICYDB_VERSION_NEW_OBJECT_DEFAULTS],
|
|
+ sepol_new_object_defaults="yes",
|
|
+ sepol_new_object_defaults="no",
|
|
+ [#include <sepol/policydb/policydb.h>])
|
|
+
|
|
+dnl check for filename trans rule, added in libsepol version ??
|
|
+AC_CHECK_DECL([POLICYDB_VERSION_FILENAME_TRANS],
|
|
+ sepol_new_filename_trans="yes",
|
|
+ sepol_new_filename_trans="no",
|
|
+ [#include <sepol/policydb/policydb.h>])
|
|
+
|
|
+dnl check for user/role/type bounds, added in libsepol version ??
|
|
+AC_CHECK_DECL([POLICYDB_VERSION_BOUNDARY],
|
|
+ sepol_new_bounds="yes",
|
|
+ sepol_new_bounds="no",
|
|
+ [#include <sepol/policydb/policydb.h>])
|
|
+
|
|
dnl check for permissive types, added in libsepol version 2.0.26
|
|
AC_CHECK_DECL([TYPE_FLAGS_PERMISSIVE],
|
|
sepol_new_permissive_types="yes",
|
|
@@ -855,6 +885,21 @@ fi
|
|
if test ${sepol_new_permissive_types} == "yes"; then
|
|
AC_DEFINE(HAVE_SEPOL_PERMISSIVE_TYPES, 1, [if types can be marked as permissive])
|
|
fi
|
|
+if test ${sepol_new_constraint_names} == "yes"; then
|
|
+ AC_DEFINE(HAVE_SEPOL_CONSTRAINT_NAMES, 1, [if source policy types/attributes are present])
|
|
+fi
|
|
+if test ${sepol_new_default_type} == "yes"; then
|
|
+ AC_DEFINE(HAVE_SEPOL_DEFAULT_TYPE, 1, [if default_user rule present])
|
|
+fi
|
|
+if test ${sepol_new_object_defaults} == "yes"; then
|
|
+ AC_DEFINE(HAVE_SEPOL_NEW_OBJECT_DEFAULTS, 1, [if default_user/role/range rules are present])
|
|
+fi
|
|
+if test ${sepol_new_filename_trans} == "yes"; then
|
|
+ AC_DEFINE(HAVE_SEPOL_FILENAME_TRANS, 1, [if the filename transition rule present])
|
|
+fi
|
|
+if test ${sepol_new_bounds} == "yes"; then
|
|
+ AC_DEFINE(HAVE_SEPOL_BOUNDARY, 1, [if bounds rules are present])
|
|
+fi
|
|
if test ${sepol_new_user_role_mapping} == "yes"; then
|
|
AC_DEFINE(HAVE_SEPOL_USER_ROLE_MAPPING, 1, [if users and roles are mapped during policy expansion])
|
|
fi
|
|
diff --git a/libapol/include/apol/Makefile.am b/libapol/include/apol/Makefile.am
|
|
index e398ff2..dd94452 100644
|
|
--- a/libapol/include/apol/Makefile.am
|
|
+++ b/libapol/include/apol/Makefile.am
|
|
@@ -3,11 +3,13 @@ apoldir = $(includedir)/apol
|
|
apol_HEADERS = \
|
|
avrule-query.h \
|
|
bool-query.h \
|
|
+ bounds-query.h \
|
|
bst.h \
|
|
class-perm-query.h \
|
|
condrule-query.h \
|
|
constraint-query.h \
|
|
context-query.h \
|
|
+ default-object-query.h \
|
|
domain-trans-analysis.h \
|
|
fscon-query.h \
|
|
infoflow-analysis.h \
|
|
diff --git a/libapol/include/apol/bounds-query.h b/libapol/include/apol/bounds-query.h
|
|
new file mode 100644
|
|
index 0000000..5559ab4
|
|
--- /dev/null
|
|
+++ b/libapol/include/apol/bounds-query.h
|
|
@@ -0,0 +1,177 @@
|
|
+/**
|
|
+ * @file
|
|
+ *
|
|
+ * Routines to query policy capabilities in policy.
|
|
+ *
|
|
+ * @author Richard Haines richard_c_haines@btinternet.com
|
|
+ *
|
|
+ * Copyright (C) 2006-2007 Tresys Technology, LLC
|
|
+ *
|
|
+ * This library is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU Lesser General Public
|
|
+ * License as published by the Free Software Foundation; either
|
|
+ * version 2.1 of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This library is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
+ * Lesser General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU Lesser General Public
|
|
+ * License along with this library; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
+ */
|
|
+
|
|
+#ifndef APOL_BOUNDS_QUERY_H
|
|
+#define APOL_BOUNDS_QUERY_H
|
|
+
|
|
+#ifdef __cplusplus
|
|
+extern "C"
|
|
+{
|
|
+#endif
|
|
+
|
|
+#include "policy.h"
|
|
+#include "vector.h"
|
|
+#include <qpol/policy.h>
|
|
+
|
|
+ /************ TYPEBOUNDS *************/
|
|
+ typedef struct apol_typebounds_query apol_typebounds_query_t;
|
|
+/**
|
|
+ * Execute a query against all policy capabilities within the policy.
|
|
+ *
|
|
+ * @param p Policy within which to look up policy capabilities.
|
|
+ * @param t Structure containing parameters for query. If this is
|
|
+ * NULL then return all policy capabilities.
|
|
+ * @param v Reference to a vector of qpol_typebounds_t. The vector will be
|
|
+ * allocated by this function. The caller must call
|
|
+ * apol_vector_destroy() afterwards. This will be set to NULL upon no
|
|
+ * results or upon error.
|
|
+ *
|
|
+ * @return 0 on success (including none found), negative on error.
|
|
+ */
|
|
+ extern int apol_typebounds_get_by_query(const apol_policy_t * p, apol_typebounds_query_t * t, apol_vector_t ** v);
|
|
+
|
|
+/**
|
|
+ * Allocate and return a new typebounds query structure. All fields are
|
|
+ * initialized, such that running this blank query results in
|
|
+ * returning all policy capabilities within the policy. The caller must call
|
|
+ * apol_typebounds_query_destroy() upon the return value afterwards.
|
|
+ *
|
|
+ * @return An initialized typebounds query structure, or NULL upon error.
|
|
+ */
|
|
+ extern apol_typebounds_query_t *apol_typebounds_query_create(void);
|
|
+
|
|
+/**
|
|
+ * Deallocate all memory associated with the referenced typebounds query,
|
|
+ * and then set it to NULL. This function does nothing if the query
|
|
+ * is already NULL.
|
|
+ *
|
|
+ * @param t Reference to a typebounds query structure to destroy.
|
|
+ */
|
|
+ extern void apol_typebounds_query_destroy(apol_typebounds_query_t ** t);
|
|
+
|
|
+/**
|
|
+ * Set a typebounds query to return only policy capabilities that match this name. This function
|
|
+ * duplicates the incoming name.
|
|
+ *
|
|
+ * @param p Policy handler, to report errors.
|
|
+ * @param t typebounds query to set.
|
|
+ * @param name Limit query to only policy capabilities with this name, or
|
|
+ * NULL to unset this field.
|
|
+ *
|
|
+ * @return 0 on success, negative on error.
|
|
+ */
|
|
+ extern int apol_typebounds_query_set_name(const apol_policy_t * p, apol_typebounds_query_t * t, const char *name);
|
|
+
|
|
+/**
|
|
+ * Set a typebounds query to use regular expression searching for all of its
|
|
+ * fields. Strings will be treated as regexes instead of literals.
|
|
+ * Matching will occur against the policy capability name.
|
|
+ *
|
|
+ * @param p Policy handler, to report errors.
|
|
+ * @param t typebounds query to set.
|
|
+ * @param is_regex Non-zero to enable regex searching, 0 to disable.
|
|
+ *
|
|
+ * @return Always 0.
|
|
+ */
|
|
+ extern int apol_typebounds_query_set_regex(const apol_policy_t * p, apol_typebounds_query_t * t, int is_regex);
|
|
+
|
|
+
|
|
+ /************ ROLEBOUNDS *************/
|
|
+ typedef struct apol_rolebounds_query apol_rolebounds_query_t;
|
|
+/**
|
|
+ * Execute a query against all policy capabilities within the policy.
|
|
+ *
|
|
+ * @param p Policy within which to look up policy capabilities.
|
|
+ * @param t Structure containing parameters for query. If this is
|
|
+ * NULL then return all policy capabilities.
|
|
+ * @param v Reference to a vector of qpol_rolebounds_t. The vector will be
|
|
+ * allocated by this function. The caller must call
|
|
+ * apol_vector_destroy() afterwards. This will be set to NULL upon no
|
|
+ * results or upon error.
|
|
+ *
|
|
+ * @return 0 on success (including none found), negative on error.
|
|
+ */
|
|
+ extern int apol_rolebounds_get_by_query(const apol_policy_t * p, apol_rolebounds_query_t * t, apol_vector_t ** v);
|
|
+
|
|
+/**
|
|
+ * Allocate and return a new rolebounds query structure. All fields are
|
|
+ * initialized, such that running this blank query results in
|
|
+ * returning all policy capabilities within the policy. The caller must call
|
|
+ * apol_rolebounds_query_destroy() upon the return value afterwards.
|
|
+ *
|
|
+ * @return An initialized rolebounds query structure, or NULL upon error.
|
|
+ */
|
|
+ extern apol_rolebounds_query_t *apol_rolebounds_query_create(void);
|
|
+
|
|
+/**
|
|
+ * Deallocate all memory associated with the referenced rolebounds query,
|
|
+ * and then set it to NULL. This function does nothing if the query
|
|
+ * is already NULL.
|
|
+ *
|
|
+ * @param t Reference to a rolebounds query structure to destroy.
|
|
+ */
|
|
+ extern void apol_rolebounds_query_destroy(apol_rolebounds_query_t ** t);
|
|
+
|
|
+ /************ USERBOUNDS *************/
|
|
+ typedef struct apol_userbounds_query apol_userbounds_query_t;
|
|
+/**
|
|
+ * Execute a query against all policy capabilities within the policy.
|
|
+ *
|
|
+ * @param p Policy within which to look up policy capabilities.
|
|
+ * @param t Structure containing parameters for query. If this is
|
|
+ * NULL then return all policy capabilities.
|
|
+ * @param v Reference to a vector of qpol_userbounds_t. The vector will be
|
|
+ * allocated by this function. The caller must call
|
|
+ * apol_vector_destroy() afterwards. This will be set to NULL upon no
|
|
+ * results or upon error.
|
|
+ *
|
|
+ * @return 0 on success (including none found), negative on error.
|
|
+ */
|
|
+ extern int apol_userbounds_get_by_query(const apol_policy_t * p, apol_userbounds_query_t * t, apol_vector_t ** v);
|
|
+
|
|
+/**
|
|
+ * Allocate and return a new userbounds query structure. All fields are
|
|
+ * initialized, such that running this blank query results in
|
|
+ * returning all policy capabilities within the policy. The caller must call
|
|
+ * apol_userbounds_query_destroy() upon the return value afterwards.
|
|
+ *
|
|
+ * @return An initialized userbounds query structure, or NULL upon error.
|
|
+ */
|
|
+ extern apol_userbounds_query_t *apol_userbounds_query_create(void);
|
|
+
|
|
+/**
|
|
+ * Deallocate all memory associated with the referenced userbounds query,
|
|
+ * and then set it to NULL. This function does nothing if the query
|
|
+ * is already NULL.
|
|
+ *
|
|
+ * @param t Reference to a userbounds query structure to destroy.
|
|
+ */
|
|
+ extern void apol_userbounds_query_destroy(apol_userbounds_query_t ** t);
|
|
+
|
|
+
|
|
+#ifdef __cplusplus
|
|
+}
|
|
+#endif
|
|
+
|
|
+#endif
|
|
diff --git a/libapol/include/apol/default-object-query.h b/libapol/include/apol/default-object-query.h
|
|
new file mode 100644
|
|
index 0000000..d30e002
|
|
--- /dev/null
|
|
+++ b/libapol/include/apol/default-object-query.h
|
|
@@ -0,0 +1,78 @@
|
|
+/**
|
|
+ * @file
|
|
+ *
|
|
+ * Routines to query default objects in policy.
|
|
+ *
|
|
+ * @author Richard Haines richard_c_haines@btinternet.com
|
|
+ *
|
|
+ * Copyright (C) 2006-2007 Tresys Technology, LLC
|
|
+ *
|
|
+ * This library is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU Lesser General Public
|
|
+ * License as published by the Free Software Foundation; either
|
|
+ * version 2.1 of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This library is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
+ * Lesser General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU Lesser General Public
|
|
+ * License along with this library; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
+ */
|
|
+
|
|
+#ifndef APOL_DEFAULT_OBJECT_QUERY_H
|
|
+#define APOL_DEFAULT_OBJECT_QUERY_H
|
|
+
|
|
+#ifdef __cplusplus
|
|
+extern "C"
|
|
+{
|
|
+#endif
|
|
+
|
|
+#include "policy.h"
|
|
+#include "vector.h"
|
|
+#include <qpol/policy.h>
|
|
+
|
|
+ typedef struct apol_default_object_query apol_default_object_query_t;
|
|
+/**
|
|
+ * Execute a query against all policy capabilities within the policy.
|
|
+ *
|
|
+ * @param p Policy within which to look up policy capabilities.
|
|
+ * @param t Structure containing parameters for query. If this is
|
|
+ * NULL then return all policy capabilities.
|
|
+ * @param v Reference to a vector of qpol_default_object_t. The vector will be
|
|
+ * allocated by this function. The caller must call
|
|
+ * apol_vector_destroy() afterwards. This will be set to NULL upon no
|
|
+ * results or upon error.
|
|
+ *
|
|
+ * @return 0 on success (including none found), negative on error.
|
|
+ */
|
|
+ extern int apol_default_object_get_by_query(const apol_policy_t * p, apol_default_object_query_t * t, apol_vector_t ** v);
|
|
+
|
|
+/**
|
|
+ * Allocate and return a new default_object query structure. All fields are
|
|
+ * initialized, such that running this blank query results in
|
|
+ * returning all policy capabilities within the policy. The caller must call
|
|
+ * apol_default_object_query_destroy() upon the return value afterwards.
|
|
+ *
|
|
+ * @return An initialized default_object query structure, or NULL upon error.
|
|
+ */
|
|
+ extern apol_default_object_query_t *apol_default_object_query_create(void);
|
|
+
|
|
+/**
|
|
+ * Deallocate all memory associated with the referenced default_object query,
|
|
+ * and then set it to NULL. This function does nothing if the query
|
|
+ * is already NULL.
|
|
+ *
|
|
+ * @param t Reference to a default_object query structure to destroy.
|
|
+ */
|
|
+ extern void apol_default_object_query_destroy(apol_default_object_query_t ** t);
|
|
+
|
|
+
|
|
+
|
|
+#ifdef __cplusplus
|
|
+}
|
|
+#endif
|
|
+
|
|
+#endif
|
|
diff --git a/libapol/include/apol/ftrule-query.h b/libapol/include/apol/ftrule-query.h
|
|
index aee3ad0..276aab9 100644
|
|
--- a/libapol/include/apol/ftrule-query.h
|
|
+++ b/libapol/include/apol/ftrule-query.h
|
|
@@ -130,7 +130,19 @@ extern "C"
|
|
*
|
|
* @return 0 on success, negative on error.
|
|
*/
|
|
- extern int apol_filename_trans_query_set_default(const apol_policy_t * p, apol_filename_trans_query_t * r, const char *filename);
|
|
+ extern int apol_filename_trans_query_set_default(const apol_policy_t * p, apol_filename_trans_query_t * r, const char *type);
|
|
+
|
|
+/**
|
|
+ * Set a filename trans query to the filename.
|
|
+ *
|
|
+ * @param p Policy handler, to report errors.
|
|
+ * @param r FT rule query to set.
|
|
+ * @param is_any Non-zero to use source symbol for source or default
|
|
+ * field, 0 to keep source as only source.
|
|
+ *
|
|
+ * @return Always 0.
|
|
+ */
|
|
+ extern int apol_filename_trans_query_set_name(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *filename);
|
|
|
|
/**
|
|
* Set at filename_trans query to return rules with this object (non-common)
|
|
diff --git a/libapol/include/apol/policy-query.h b/libapol/include/apol/policy-query.h
|
|
index 665e4cb..f1a5c29 100644
|
|
--- a/libapol/include/apol/policy-query.h
|
|
+++ b/libapol/include/apol/policy-query.h
|
|
@@ -66,6 +66,8 @@ extern "C"
|
|
#include "context-query.h"
|
|
#include "permissive-query.h"
|
|
#include "polcap-query.h"
|
|
+#include "bounds-query.h"
|
|
+#include "default-object-query.h"
|
|
|
|
#include "avrule-query.h"
|
|
#include "terule-query.h"
|
|
diff --git a/libapol/include/apol/policy.h b/libapol/include/apol/policy.h
|
|
index 7b26af8..143153d 100644
|
|
--- a/libapol/include/apol/policy.h
|
|
+++ b/libapol/include/apol/policy.h
|
|
@@ -91,6 +91,15 @@ extern "C"
|
|
extern int apol_policy_get_policy_type(const apol_policy_t * policy);
|
|
|
|
/**
|
|
+ * Given a policy, return the handle_unknown flag.
|
|
+ *
|
|
+ * @param policy Policy to check.
|
|
+ *
|
|
+ * @return The policy handle_unknown flag, or < 0 upon error.
|
|
+ */
|
|
+ extern int apol_policy_get_policy_handle_unknown(const apol_policy_t * policy);
|
|
+
|
|
+/**
|
|
* Given a policy, return a pointer to the underlying qpol_policy.
|
|
* This is needed, for example, to access details of particulary qpol
|
|
* components.
|
|
diff --git a/libapol/src/Makefile.am b/libapol/src/Makefile.am
|
|
index baaa4f6..22c80cf 100644
|
|
--- a/libapol/src/Makefile.am
|
|
+++ b/libapol/src/Makefile.am
|
|
@@ -14,11 +14,13 @@ AM_LDFLAGS = @DEBUGLDFLAGS@ @WARNLDFLAGS@ @PROFILELDFLAGS@
|
|
libapol_a_SOURCES = \
|
|
avrule-query.c \
|
|
bool-query.c \
|
|
+ bounds-query.c \
|
|
bst.c \
|
|
class-perm-query.c \
|
|
condrule-query.c \
|
|
constraint-query.c \
|
|
context-query.c \
|
|
+ default-object-query.c \
|
|
domain-trans-analysis.c domain-trans-analysis-internal.h \
|
|
fscon-query.c \
|
|
infoflow-analysis.c infoflow-analysis-internal.h \
|
|
diff --git a/libapol/src/bounds-query.c b/libapol/src/bounds-query.c
|
|
new file mode 100644
|
|
index 0000000..06662f4
|
|
--- /dev/null
|
|
+++ b/libapol/src/bounds-query.c
|
|
@@ -0,0 +1,216 @@
|
|
+/**
|
|
+ * @file
|
|
+ *
|
|
+ * Provides a way for setools to make queries about policy capabilities
|
|
+ * within a policy. The caller obtains a query object,
|
|
+ * fills in its parameters, and then runs the query; it obtains a
|
|
+ * vector of results. Searches are conjunctive -- all fields of the
|
|
+ * search query must match for a datum to be added to the results
|
|
+ * query.
|
|
+ *
|
|
+ * @author Richard Haines richard_c_haines@btinternet.com
|
|
+ *
|
|
+ * Copyright (C) 2006-2007 Tresys Technology, LLC
|
|
+ *
|
|
+ * This library is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU Lesser General Public
|
|
+ * License as published by the Free Software Foundation; either
|
|
+ * version 2.1 of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This library is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
+ * Lesser General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU Lesser General Public
|
|
+ * License along with this library; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
+ */
|
|
+
|
|
+#include "policy-query-internal.h"
|
|
+
|
|
+#include <errno.h>
|
|
+
|
|
+ /************ TYPEBOUNDS *************/
|
|
+struct apol_typebounds_query
|
|
+{
|
|
+ char *name;
|
|
+ unsigned int flags;
|
|
+ regex_t *regex;
|
|
+};
|
|
+
|
|
+int apol_typebounds_get_by_query(const apol_policy_t * p, apol_typebounds_query_t * q, apol_vector_t ** v)
|
|
+{
|
|
+ qpol_iterator_t *iter;
|
|
+ int retval = -1;
|
|
+
|
|
+ *v = NULL;
|
|
+ if (qpol_policy_get_typebounds_iter(p->p, &iter) < 0) {
|
|
+ return -1;
|
|
+ }
|
|
+ if ((*v = apol_vector_create(NULL)) == NULL) {
|
|
+ ERR(p, "%s", strerror(errno));
|
|
+ goto cleanup;
|
|
+ }
|
|
+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
|
|
+ const qpol_typebounds_t *typebounds;
|
|
+ if (qpol_iterator_get_item(iter, (void **)&typebounds) < 0) {
|
|
+ goto cleanup;
|
|
+ }
|
|
+ if (q != NULL) {
|
|
+ if (apol_compare_typebounds(p, typebounds, q->name,
|
|
+ q->flags, &(q->regex)) == 1) {
|
|
+ if (apol_vector_append(*v, (void *)typebounds)) {
|
|
+ ERR(p, "%s", strerror(ENOMEM));
|
|
+ goto cleanup;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ retval = 0;
|
|
+cleanup:
|
|
+ if (retval != 0) {
|
|
+ apol_vector_destroy(v);
|
|
+ }
|
|
+ qpol_iterator_destroy(&iter);
|
|
+ return retval;
|
|
+}
|
|
+
|
|
+apol_typebounds_query_t *apol_typebounds_query_create(void)
|
|
+{
|
|
+ return calloc(1, sizeof(apol_typebounds_query_t));
|
|
+}
|
|
+
|
|
+void apol_typebounds_query_destroy(apol_typebounds_query_t ** q)
|
|
+{
|
|
+ if (*q != NULL) {
|
|
+ free((*q)->name);
|
|
+ apol_regex_destroy(&(*q)->regex);
|
|
+ free(*q);
|
|
+ *q = NULL;
|
|
+ }
|
|
+}
|
|
+
|
|
+int apol_typebounds_query_set_name(const apol_policy_t * p, apol_typebounds_query_t * q, const char *name)
|
|
+{
|
|
+ return apol_query_set(p, &q->name, &q->regex, name);
|
|
+}
|
|
+
|
|
+int apol_typebounds_query_set_regex(const apol_policy_t * p, apol_typebounds_query_t * q, int is_regex)
|
|
+{
|
|
+ return apol_query_set_regex(p, &q->flags, is_regex);
|
|
+}
|
|
+
|
|
+
|
|
+ /************ ROLEBOUNDS *************/
|
|
+struct apol_rolebounds_query
|
|
+{
|
|
+ char *name;
|
|
+};
|
|
+
|
|
+int apol_rolebounds_get_by_query(const apol_policy_t * p, apol_rolebounds_query_t * q, apol_vector_t ** v)
|
|
+{
|
|
+ qpol_iterator_t *iter;
|
|
+ int retval = -1;
|
|
+
|
|
+ *v = NULL;
|
|
+ if (qpol_policy_get_rolebounds_iter(p->p, &iter) < 0) {
|
|
+ return -1;
|
|
+ }
|
|
+ if ((*v = apol_vector_create(NULL)) == NULL) {
|
|
+ ERR(p, "%s", strerror(errno));
|
|
+ goto cleanup;
|
|
+ }
|
|
+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
|
|
+ const qpol_rolebounds_t *rolebounds;
|
|
+ if (qpol_iterator_get_item(iter, (void **)&rolebounds) < 0) {
|
|
+ goto cleanup;
|
|
+ }
|
|
+ if (q != NULL) {
|
|
+ if (apol_vector_append(*v, (void *)rolebounds)) {
|
|
+ ERR(p, "%s", strerror(ENOMEM));
|
|
+ goto cleanup;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ retval = 0;
|
|
+cleanup:
|
|
+ if (retval != 0) {
|
|
+ apol_vector_destroy(v);
|
|
+ }
|
|
+ qpol_iterator_destroy(&iter);
|
|
+ return retval;
|
|
+}
|
|
+
|
|
+apol_rolebounds_query_t *apol_rolebounds_query_create(void)
|
|
+{
|
|
+ return calloc(1, sizeof(apol_rolebounds_query_t));
|
|
+}
|
|
+
|
|
+void apol_rolebounds_query_destroy(apol_rolebounds_query_t ** q)
|
|
+{
|
|
+ if (*q != NULL) {
|
|
+ free((*q)->name);
|
|
+ free(*q);
|
|
+ *q = NULL;
|
|
+ }
|
|
+}
|
|
+
|
|
+
|
|
+ /************ USERBOUNDS *************/
|
|
+struct apol_userbounds_query
|
|
+{
|
|
+ char *name;
|
|
+};
|
|
+
|
|
+int apol_userbounds_get_by_query(const apol_policy_t * p, apol_userbounds_query_t * q, apol_vector_t ** v)
|
|
+{
|
|
+ qpol_iterator_t *iter;
|
|
+ int retval = -1;
|
|
+
|
|
+ *v = NULL;
|
|
+ if (qpol_policy_get_userbounds_iter(p->p, &iter) < 0) {
|
|
+ return -1;
|
|
+ }
|
|
+ if ((*v = apol_vector_create(NULL)) == NULL) {
|
|
+ ERR(p, "%s", strerror(errno));
|
|
+ goto cleanup;
|
|
+ }
|
|
+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
|
|
+ const qpol_userbounds_t *userbounds;
|
|
+ if (qpol_iterator_get_item(iter, (void **)&userbounds) < 0) {
|
|
+ goto cleanup;
|
|
+ }
|
|
+ if (q != NULL) {
|
|
+ if (apol_vector_append(*v, (void *)userbounds)) {
|
|
+ ERR(p, "%s", strerror(ENOMEM));
|
|
+ goto cleanup;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ retval = 0;
|
|
+cleanup:
|
|
+ if (retval != 0) {
|
|
+ apol_vector_destroy(v);
|
|
+ }
|
|
+ qpol_iterator_destroy(&iter);
|
|
+ return retval;
|
|
+}
|
|
+
|
|
+apol_userbounds_query_t *apol_userbounds_query_create(void)
|
|
+{
|
|
+ return calloc(1, sizeof(apol_userbounds_query_t));
|
|
+}
|
|
+
|
|
+void apol_userbounds_query_destroy(apol_userbounds_query_t ** q)
|
|
+{
|
|
+ if (*q != NULL) {
|
|
+ free((*q)->name);
|
|
+ free(*q);
|
|
+ *q = NULL;
|
|
+ }
|
|
+}
|
|
+
|
|
diff --git a/libapol/src/default-object-query.c b/libapol/src/default-object-query.c
|
|
new file mode 100644
|
|
index 0000000..3724e69
|
|
--- /dev/null
|
|
+++ b/libapol/src/default-object-query.c
|
|
@@ -0,0 +1,87 @@
|
|
+/**
|
|
+ * @file
|
|
+ *
|
|
+ * Provides a way for setools to make queries about policy capabilities
|
|
+ * within a policy. The caller obtains a query object,
|
|
+ * fills in its parameters, and then runs the query; it obtains a
|
|
+ * vector of results. Searches are conjunctive -- all fields of the
|
|
+ * search query must match for a datum to be added to the results
|
|
+ * query.
|
|
+ *
|
|
+ * @author Richard Haines richard_c_haines@btinternet.com
|
|
+ *
|
|
+ * Copyright (C) 2006-2007 Tresys Technology, LLC
|
|
+ *
|
|
+ * This library is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU Lesser General Public
|
|
+ * License as published by the Free Software Foundation; either
|
|
+ * version 2.1 of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This library is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
+ * Lesser General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU Lesser General Public
|
|
+ * License along with this library; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
+ */
|
|
+
|
|
+#include "policy-query-internal.h"
|
|
+
|
|
+#include <errno.h>
|
|
+
|
|
+struct apol_default_object_query
|
|
+{
|
|
+ char *name;
|
|
+};
|
|
+
|
|
+int apol_default_object_get_by_query(const apol_policy_t * p, apol_default_object_query_t * q, apol_vector_t ** v)
|
|
+{
|
|
+ qpol_iterator_t *iter;
|
|
+ int retval = -1;
|
|
+
|
|
+ *v = NULL;
|
|
+ if (qpol_policy_get_default_object_iter(p->p, &iter) < 0) {
|
|
+ return -1;
|
|
+ }
|
|
+ if ((*v = apol_vector_create(NULL)) == NULL) {
|
|
+ ERR(p, "%s", strerror(errno));
|
|
+ goto cleanup;
|
|
+ }
|
|
+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
|
|
+ const qpol_default_object_t *default_object;
|
|
+ if (qpol_iterator_get_item(iter, (void **)&default_object) < 0) {
|
|
+ goto cleanup;
|
|
+ }
|
|
+ if (q != NULL) {
|
|
+ if (apol_vector_append(*v, (void *)default_object)) {
|
|
+ ERR(p, "%s", strerror(ENOMEM));
|
|
+ goto cleanup;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ retval = 0;
|
|
+cleanup:
|
|
+ if (retval != 0) {
|
|
+ apol_vector_destroy(v);
|
|
+ }
|
|
+ qpol_iterator_destroy(&iter);
|
|
+ return retval;
|
|
+}
|
|
+
|
|
+apol_default_object_query_t *apol_default_object_query_create(void)
|
|
+{
|
|
+ return calloc(1, sizeof(apol_default_object_query_t));
|
|
+}
|
|
+
|
|
+void apol_default_object_query_destroy(apol_default_object_query_t ** q)
|
|
+{
|
|
+ if (*q != NULL) {
|
|
+ free((*q)->name);
|
|
+ free(*q);
|
|
+ *q = NULL;
|
|
+ }
|
|
+}
|
|
+
|
|
diff --git a/libapol/src/ftrule-query.c b/libapol/src/ftrule-query.c
|
|
index 50c6c7a..aeebc25 100644
|
|
--- a/libapol/src/ftrule-query.c
|
|
+++ b/libapol/src/ftrule-query.c
|
|
@@ -215,10 +215,10 @@ void apol_filename_trans_query_destroy(apol_filename_trans_query_t ** t)
|
|
}
|
|
}
|
|
|
|
-int apol_filename_trans_query_set_source(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *filename, int is_indirect)
|
|
+int apol_filename_trans_query_set_source(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *type, int is_indirect)
|
|
{
|
|
apol_query_set_flag(p, &t->flags, is_indirect, APOL_QUERY_SOURCE_INDIRECT);
|
|
- return apol_query_set(p, &t->source, NULL, filename);
|
|
+ return apol_query_set(p, &t->source, NULL, type);
|
|
}
|
|
|
|
//TODO is the equivilent terule_query_set_{source,target}_compoenent needed?
|
|
diff --git a/libapol/src/libapol.map b/libapol/src/libapol.map
|
|
index 7657a2d..8741bf4 100644
|
|
--- a/libapol/src/libapol.map
|
|
+++ b/libapol/src/libapol.map
|
|
@@ -83,5 +83,9 @@ VERS_4.1{
|
|
VERS_4.2{
|
|
global:
|
|
apol_permissive_*;
|
|
+ apol_typebounds_*;
|
|
+ apol_rolebounds_*;
|
|
+ apol_userbounds_*;
|
|
apol_polcap_*;
|
|
+ apol_default_object_*;
|
|
} VERS_4.1;
|
|
diff --git a/libapol/src/policy-query-internal.h b/libapol/src/policy-query-internal.h
|
|
index 657c815..d7e57e0 100644
|
|
--- a/libapol/src/policy-query-internal.h
|
|
+++ b/libapol/src/policy-query-internal.h
|
|
@@ -228,6 +228,25 @@ extern "C"
|
|
regex_t ** type_regex);
|
|
|
|
/**
|
|
+ * Determines if a (partial) typebounds query matches a qpol_typebounds_t,
|
|
+ * by name.
|
|
+ *
|
|
+ * @param p Policy within which to look up types.
|
|
+ * @param type typebounds datum to compare against.
|
|
+ * @param name Source target from which to compare.
|
|
+ * @param flags If APOL_QUERY_REGEX bit is set, treat name as a
|
|
+ * regular expression.
|
|
+ * @param regex If using regexp comparison, the compiled regular
|
|
+ * expression to use; the pointer will be allocated space if regexp is
|
|
+ * legal. If NULL, then compile the regexp pattern given by name and
|
|
+ * cache it here.
|
|
+ *
|
|
+ * @return 1 If comparison succeeds, 0 if not; < 0 on error.
|
|
+ */
|
|
+ int apol_compare_typebounds(const apol_policy_t * p, const qpol_typebounds_t * typebounds, const char *name, unsigned int flags,
|
|
+ regex_t ** type_regex);
|
|
+
|
|
+/**
|
|
* Determines if a boolean is used within a particual conditional.
|
|
*
|
|
* @param p Policy within which to look up types.
|
|
diff --git a/libapol/src/policy-query.c b/libapol/src/policy-query.c
|
|
index 18152fb..5ce52a2 100644
|
|
--- a/libapol/src/policy-query.c
|
|
+++ b/libapol/src/policy-query.c
|
|
@@ -188,6 +188,29 @@ int apol_compare_polcap(const apol_policy_t * p, const qpol_polcap_t * polcap, c
|
|
return compval;
|
|
}
|
|
|
|
+int apol_compare_typebounds(const apol_policy_t * p, const qpol_typebounds_t * typebounds, const char *name, unsigned int flags,
|
|
+ regex_t ** typebounds_regex)
|
|
+{
|
|
+ const char *typebounds_parent_name = NULL;
|
|
+ const char *typebounds_child_name = NULL;
|
|
+
|
|
+ int compval = 0;
|
|
+
|
|
+ qpol_typebounds_get_parent_name(p->p, typebounds, &typebounds_parent_name);
|
|
+ qpol_typebounds_get_child_name(p->p, typebounds, &typebounds_child_name);
|
|
+
|
|
+ if (typebounds_parent_name != NULL) {
|
|
+ compval = apol_compare(p, typebounds_parent_name, name, flags, typebounds_regex);
|
|
+ }
|
|
+ if (typebounds_child_name != NULL && compval == 0) {
|
|
+ compval = apol_compare(p, typebounds_child_name, name, flags, typebounds_regex);
|
|
+ return compval;
|
|
+ } else {
|
|
+ return compval;
|
|
+ }
|
|
+ return 0;
|
|
+}
|
|
+
|
|
int apol_compare_cond_expr(const apol_policy_t * p, const qpol_cond_t * cond, const char *name, unsigned int flags,
|
|
regex_t ** bool_regex)
|
|
{
|
|
diff --git a/libapol/src/policy.c b/libapol/src/policy.c
|
|
index 95ab7cd..f253db9 100644
|
|
--- a/libapol/src/policy.c
|
|
+++ b/libapol/src/policy.c
|
|
@@ -155,6 +155,15 @@ int apol_policy_get_policy_type(const apol_policy_t * policy)
|
|
return policy->policy_type;
|
|
}
|
|
|
|
+int apol_policy_get_policy_handle_unknown(const apol_policy_t * p)
|
|
+{
|
|
+ unsigned int handle_unknown;
|
|
+ if (qpol_policy_get_policy_handle_unknown(p->p, &handle_unknown) < 0) {
|
|
+ return -1;
|
|
+ }
|
|
+ return handle_unknown;
|
|
+}
|
|
+
|
|
qpol_policy_t *apol_policy_get_qpol(const apol_policy_t * policy)
|
|
{
|
|
if (policy == NULL) {
|
|
diff --git a/libapol/swig/apol.i b/libapol/swig/apol.i
|
|
index ae1262d..8a4a195 100644
|
|
--- a/libapol/swig/apol.i
|
|
+++ b/libapol/swig/apol.i
|
|
@@ -256,7 +256,7 @@ uint8_t apol_str_to_protocol(const char *protocol_str);
|
|
}
|
|
%}
|
|
%extend apol_ip_t {
|
|
- apol_ip_t(const char *str) {
|
|
+ apol_ip(const char *str) {
|
|
apol_ip_t *ip = NULL;
|
|
BEGIN_EXCEPTION
|
|
ip = calloc(1, sizeof(*ip));
|
|
@@ -274,7 +274,7 @@ uint8_t apol_str_to_protocol(const char *protocol_str);
|
|
fail:
|
|
return ip;
|
|
};
|
|
- ~apol_ip_t() {
|
|
+ ~apol_ip() {
|
|
free(self);
|
|
};
|
|
int get_protocol() {
|
|
@@ -303,31 +303,35 @@ char *apol_file_find_path(const char *file_name);
|
|
%}
|
|
typedef struct apol_vector {} apol_vector_t;
|
|
%extend apol_vector_t {
|
|
- apol_vector_t() {
|
|
+ apol_vector() {
|
|
return apol_vector_create(NULL);
|
|
};
|
|
- apol_vector_t(qpol_iterator_t *iter) {
|
|
+ apol_vector(qpol_iterator_t *iter) {
|
|
return apol_vector_create_from_iter(iter, NULL);
|
|
};
|
|
- apol_vector_t(apol_vector_t *v) {
|
|
+ apol_vector(apol_vector_t *v) {
|
|
return apol_vector_create_from_vector(v, NULL, NULL, NULL);
|
|
};
|
|
- apol_vector_t(apol_vector_t *a, apol_vector_t *b) {
|
|
+ apol_vector(apol_vector_t *a, apol_vector_t *b) {
|
|
return apol_vector_create_from_intersection(a, b, NULL, NULL);
|
|
};
|
|
- size_t get_size() {
|
|
+ %rename(get_size) wrap_get_size;
|
|
+ size_t wrap_get_size() {
|
|
return apol_vector_get_size(self);
|
|
};
|
|
- size_t get_capacity() {
|
|
+ %rename(get_capacity) wrap_get_capacity;
|
|
+ size_t wrap_get_capacity() {
|
|
return apol_vector_get_capacity(self);
|
|
};
|
|
- void *get_element(size_t i) {
|
|
+ %rename(get_element) wrap_get_element;
|
|
+ void *wrap_get_element(size_t i) {
|
|
return apol_vector_get_element(self, i);
|
|
};
|
|
- ~apol_vector_t() {
|
|
+ ~apol_vector() {
|
|
apol_vector_destroy(&self);
|
|
};
|
|
- void append(void *x) {
|
|
+ %rename(append) wrap_append;
|
|
+ void wrap_append(void *x) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_vector_append(self, x)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -336,7 +340,8 @@ typedef struct apol_vector {} apol_vector_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void append_unique(void *x) {
|
|
+ %rename(append_unique) wrap_append_unique;
|
|
+ void wrap_append_unique(void *x) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_vector_append_unique(self, x, NULL, NULL)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -345,7 +350,8 @@ typedef struct apol_vector {} apol_vector_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void cat(apol_vector_t *src) {
|
|
+ %rename(cat) wrap_cat;
|
|
+ void wrap_cat(apol_vector_t *src) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_vector_cat(self, src)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -354,7 +360,8 @@ typedef struct apol_vector {} apol_vector_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void remove(size_t idx) {
|
|
+ %rename(remove) wrap_remove;
|
|
+ void wrap_remove(size_t idx) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_vector_remove(self, idx)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Error removing vector element");
|
|
@@ -363,10 +370,12 @@ typedef struct apol_vector {} apol_vector_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void sort() {
|
|
+ %rename(sort) wrap_sort;
|
|
+ void wrap_sort() {
|
|
apol_vector_sort(self, NULL, NULL);
|
|
};
|
|
- void sort_uniquify() {
|
|
+ %rename(sort_uniquify) wrap_sort_uniquify;
|
|
+ void wrap_sort_uniquify() {
|
|
apol_vector_sort_uniquify(self, NULL, NULL);
|
|
};
|
|
};
|
|
@@ -379,13 +388,13 @@ typedef struct apol_vector {} apol_vector_t;
|
|
%}
|
|
typedef struct apol_string_vector {} apol_string_vector_t;
|
|
%extend apol_string_vector_t {
|
|
- apol_string_vector_t() {
|
|
+ apol_string_vector() {
|
|
return (apol_string_vector_t*)apol_vector_create(free);
|
|
};
|
|
- apol_string_vector_t(apol_string_vector_t *v) {
|
|
+ apol_string_vector(apol_string_vector_t *v) {
|
|
return (apol_string_vector_t*)apol_vector_create_from_vector((apol_vector_t*)v, apol_str_strdup, NULL, free);
|
|
};
|
|
- apol_string_vector_t(apol_string_vector_t *a, apol_string_vector_t *b) {
|
|
+ apol_string_vector(apol_string_vector_t *a, apol_string_vector_t *b) {
|
|
return (apol_string_vector_t*)apol_vector_create_from_intersection((apol_vector_t*)a, (apol_vector_t*)b, apol_str_strcmp, NULL);
|
|
};
|
|
size_t get_size() {
|
|
@@ -397,7 +406,7 @@ typedef struct apol_string_vector {} apol_string_vector_t;
|
|
char *get_element(size_t i) {
|
|
return (char*)apol_vector_get_element((apol_vector_t*)self, i);
|
|
};
|
|
- ~apol_string_vector_t() {
|
|
+ ~apol_string_vector() {
|
|
apol_vector_destroy((apol_vector_t**)&self);
|
|
};
|
|
size_t get_index(char *str) {
|
|
@@ -462,7 +471,7 @@ typedef struct apol_string_vector {} apol_string_vector_t;
|
|
} apol_policy_path_type_e;
|
|
typedef struct apol_policy_path {} apol_policy_path_t;
|
|
%extend apol_policy_path_t {
|
|
- apol_policy_path_t(apol_policy_path_type_e type, char * primary, apol_string_vector_t *modules = NULL) {
|
|
+ apol_policy_path(apol_policy_path_type_e type, char * primary, apol_string_vector_t *modules = NULL) {
|
|
apol_policy_path_t *p;
|
|
BEGIN_EXCEPTION
|
|
if ((p = apol_policy_path_create(type, primary, (apol_vector_t*)modules)) == NULL) {
|
|
@@ -472,7 +481,7 @@ typedef struct apol_policy_path {} apol_policy_path_t;
|
|
fail:
|
|
return p;
|
|
};
|
|
- apol_policy_path_t(char *path) {
|
|
+ apol_policy_path(char *path) {
|
|
apol_policy_path_t *p;
|
|
BEGIN_EXCEPTION
|
|
if ((p = apol_policy_path_create_from_file(path)) == NULL) {
|
|
@@ -482,7 +491,7 @@ typedef struct apol_policy_path {} apol_policy_path_t;
|
|
fail:
|
|
return p;
|
|
};
|
|
- apol_policy_path_t(char *str, int unused) {
|
|
+ apol_policy_path(char *str, int unused) {
|
|
apol_policy_path_t *p;
|
|
BEGIN_EXCEPTION
|
|
if ((p = apol_policy_path_create_from_string(str)) == NULL) {
|
|
@@ -492,7 +501,7 @@ typedef struct apol_policy_path {} apol_policy_path_t;
|
|
fail:
|
|
return p;
|
|
};
|
|
- apol_policy_path_t(apol_policy_path_t *in) {
|
|
+ apol_policy_path(apol_policy_path_t *in) {
|
|
apol_policy_path_t *p;
|
|
BEGIN_EXCEPTION
|
|
if ((p = apol_policy_path_create_from_policy_path(in)) == NULL) {
|
|
@@ -502,20 +511,24 @@ typedef struct apol_policy_path {} apol_policy_path_t;
|
|
fail:
|
|
return p;
|
|
};
|
|
- ~apol_policy_path_t() {
|
|
+ ~apol_policy_path() {
|
|
apol_policy_path_destroy(&self);
|
|
};
|
|
- apol_policy_path_type_e get_type() {
|
|
+ %rename(get_type) wrap_get_type;
|
|
+ apol_policy_path_type_e wrap_get_type() {
|
|
return apol_policy_path_get_type(self);
|
|
};
|
|
- const char *get_primary() {
|
|
+ %rename(get_primary) wrap_get_primary;
|
|
+ const char *wrap_get_primary() {
|
|
return apol_policy_path_get_primary(self);
|
|
};
|
|
- const apol_string_vector_t *get_modules() {
|
|
+ %rename(get_modules) wrap_get_modules;
|
|
+ const apol_string_vector_t *wrap_get_modules() {
|
|
return (apol_string_vector_t*)apol_policy_path_get_modules(self);
|
|
};
|
|
%newobject to_string();
|
|
- char *to_string() {
|
|
+ %rename(to_string) wrap_to_string;
|
|
+ char *wrap_to_string() {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = apol_policy_path_to_string(self);
|
|
@@ -526,7 +539,8 @@ typedef struct apol_policy_path {} apol_policy_path_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- void to_file(char *path) {
|
|
+ %rename(to_file) wrap_to_file;
|
|
+ void wrap_to_file(char *path) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_policy_path_to_file(self, path)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Input/outpet error");
|
|
@@ -549,7 +563,7 @@ typedef struct apol_policy {} apol_policy_t;
|
|
#define APOL_PERMMAP_BOTH (APOL_PERMMAP_READ | APOL_PERMMAP_WRITE)
|
|
#define APOL_PERMMAP_NONE 0x10
|
|
%extend apol_policy_t {
|
|
- apol_policy_t(apol_policy_path_t *path, int options = 0) {
|
|
+ apol_policy(apol_policy_path_t *path, int options = 0) {
|
|
apol_policy_t *p;
|
|
BEGIN_EXCEPTION
|
|
p = apol_policy_create_from_policy_path(path, options, apol_swig_message_callback, apol_swig_message_callback_arg);
|
|
@@ -564,20 +578,30 @@ typedef struct apol_policy {} apol_policy_t;
|
|
fail:
|
|
return p;
|
|
};
|
|
- ~apol_policy_t() {
|
|
+ ~apol_policy() {
|
|
apol_policy_destroy(&self);
|
|
};
|
|
- int get_policy_type() {
|
|
+ %rename(get_policy_type) wrap_get_policy_type;
|
|
+ int wrap_get_policy_type() {
|
|
return apol_policy_get_policy_type(self);
|
|
};
|
|
- qpol_policy_t *get_qpol() {
|
|
+
|
|
+ %rename(get_policy_handle_unknown) wrap_get_policy_handle_unknown;
|
|
+ int wrap_get_policy_handle_unknown() {
|
|
+ return apol_policy_get_policy_handle_unknown(self);
|
|
+ };
|
|
+
|
|
+ %rename(get_qpol) wrap_get_qpol;
|
|
+ qpol_policy_t *wrap_get_qpol() {
|
|
return apol_policy_get_qpol(self);
|
|
};
|
|
- int is_mls() {
|
|
+ %rename(is_mls) wrap_is_mls;
|
|
+ int wrap_is_mls() {
|
|
return apol_policy_is_mls(self);
|
|
};
|
|
%newobject get_version_type_mls_str();
|
|
- char *get_version_type_mls_str() {
|
|
+ %rename(get_version_type_mls_str) wrap_get_version_type_mls_str;
|
|
+ char *wrap_get_version_type_mls_str() {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = apol_policy_get_version_type_mls_str(self);
|
|
@@ -588,7 +612,8 @@ typedef struct apol_policy {} apol_policy_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- void open_permmap(const char *path) {
|
|
+ %rename(open_permmap) wrap_open_permmap;
|
|
+ void wrap_open_permmap(const char *path) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_policy_open_permmap(self, path) < 0) {
|
|
SWIG_exception(SWIG_RuntimeError, "Error loading permission map");
|
|
@@ -597,7 +622,8 @@ typedef struct apol_policy {} apol_policy_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void save_permmap(const char *path) {
|
|
+ %rename(save_permmap) wrap_save_permmap;
|
|
+ void wrap_save_permmap(const char *path) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_policy_save_permmap(self, path)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not save permission map");
|
|
@@ -626,7 +652,8 @@ typedef struct apol_policy {} apol_policy_t;
|
|
fail:
|
|
return dir;
|
|
};
|
|
- void set_permmap(const char *class_name, const char *perm_name, int direction, int weight) {
|
|
+ %rename(set_permmap) wrap_set_permmap;
|
|
+ void wrap_set_permmap(const char *class_name, const char *perm_name, int direction, int weight) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_policy_set_permmap(self, class_name, perm_name, direction, weight)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set permission mapping");
|
|
@@ -635,7 +662,8 @@ typedef struct apol_policy {} apol_policy_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void build_domain_trans_table() {
|
|
+ %rename(build_domain_trans_table) wrap_build_domain_trans_table;
|
|
+ void wrap_build_domain_trans_table() {
|
|
BEGIN_EXCEPTION
|
|
if (apol_policy_build_domain_trans_table(self)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not build domain transition table");
|
|
@@ -644,7 +672,8 @@ typedef struct apol_policy {} apol_policy_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void reset_domain_trans_table() {
|
|
+ %rename(reset_domain_trans_table) wrap_reset_domain_trans_table;
|
|
+ void wrap_reset_domain_trans_table() {
|
|
apol_policy_reset_domain_trans_table(self);
|
|
}
|
|
};
|
|
@@ -652,7 +681,7 @@ typedef struct apol_policy {} apol_policy_t;
|
|
/* apol type query */
|
|
typedef struct apol_type_query {} apol_type_query_t;
|
|
%extend apol_type_query_t {
|
|
- apol_type_query_t() {
|
|
+ apol_type_query() {
|
|
apol_type_query_t *tq;
|
|
BEGIN_EXCEPTION
|
|
tq = apol_type_query_create();
|
|
@@ -663,7 +692,7 @@ typedef struct apol_type_query {} apol_type_query_t;
|
|
fail:
|
|
return tq;
|
|
};
|
|
- ~apol_type_query_t() {
|
|
+ ~apol_type_query() {
|
|
apol_type_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t *);
|
|
@@ -677,7 +706,8 @@ typedef struct apol_type_query {} apol_type_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_type(apol_policy_t *p, char *name) {
|
|
+ %rename(set_type) wrap_set_type;
|
|
+ void wrap_set_type(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_type_query_set_type(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -686,7 +716,8 @@ typedef struct apol_type_query {} apol_type_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_type_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
@@ -694,7 +725,7 @@ typedef struct apol_type_query {} apol_type_query_t;
|
|
/* apol attribute query */
|
|
typedef struct apol_attr_query {} apol_attr_query_t;
|
|
%extend apol_attr_query_t {
|
|
- apol_attr_query_t() {
|
|
+ apol_attr_query() {
|
|
apol_attr_query_t *aq;
|
|
BEGIN_EXCEPTION
|
|
aq = apol_attr_query_create();
|
|
@@ -705,7 +736,7 @@ typedef struct apol_attr_query {} apol_attr_query_t;
|
|
fail:
|
|
return aq;
|
|
};
|
|
- ~apol_attr_query_t() {
|
|
+ ~apol_attr_query() {
|
|
apol_attr_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t *);
|
|
@@ -719,7 +750,8 @@ typedef struct apol_attr_query {} apol_attr_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_attr(apol_policy_t *p, char *name) {
|
|
+ %rename(set_attr) wrap_set_attr;
|
|
+ void wrap_set_attr(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_attr_query_set_attr(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -728,7 +760,8 @@ typedef struct apol_attr_query {} apol_attr_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_attr_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
@@ -736,7 +769,7 @@ typedef struct apol_attr_query {} apol_attr_query_t;
|
|
/* apol role query */
|
|
typedef struct apol_role_query {} apol_role_query_t;
|
|
%extend apol_role_query_t {
|
|
- apol_role_query_t() {
|
|
+ apol_role_query() {
|
|
apol_role_query_t *rq;
|
|
BEGIN_EXCEPTION
|
|
rq = apol_role_query_create();
|
|
@@ -747,7 +780,7 @@ typedef struct apol_role_query {} apol_role_query_t;
|
|
fail:
|
|
return rq;
|
|
};
|
|
- ~apol_role_query_t() {
|
|
+ ~apol_role_query() {
|
|
apol_role_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t *);
|
|
@@ -761,7 +794,8 @@ typedef struct apol_role_query {} apol_role_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_role(apol_policy_t *p, char *name) {
|
|
+ %rename(set_role) wrap_set_role;
|
|
+ void wrap_set_role(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_role_query_set_role(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -770,7 +804,8 @@ typedef struct apol_role_query {} apol_role_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_type(apol_policy_t *p, char *name) {
|
|
+ %rename(set_type) wrap_set_type;
|
|
+ void wrap_set_type(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_role_query_set_type(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -779,7 +814,8 @@ typedef struct apol_role_query {} apol_role_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_role_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
@@ -788,7 +824,7 @@ int apol_role_has_type(apol_policy_t * p, qpol_role_t * r, qpol_type_t * t);
|
|
/* apol class query */
|
|
typedef struct apol_class_query {} apol_class_query_t;
|
|
%extend apol_class_query_t {
|
|
- apol_class_query_t() {
|
|
+ apol_class_query() {
|
|
apol_class_query_t *cq;
|
|
BEGIN_EXCEPTION
|
|
cq = apol_class_query_create();
|
|
@@ -799,7 +835,7 @@ typedef struct apol_class_query {} apol_class_query_t;
|
|
fail:
|
|
return cq;
|
|
};
|
|
- ~apol_class_query_t() {
|
|
+ ~apol_class_query() {
|
|
apol_class_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -813,7 +849,8 @@ typedef struct apol_class_query {} apol_class_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_class(apol_policy_t *p, char *name) {
|
|
+ %rename(set_class) wrap_set_class;
|
|
+ void wrap_set_class(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_class_query_set_class(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -822,7 +859,8 @@ typedef struct apol_class_query {} apol_class_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_common(apol_policy_t *p, char *name) {
|
|
+ %rename(set_common) wrap_set_common;
|
|
+ void wrap_set_common(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_class_query_set_common(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -831,7 +869,8 @@ typedef struct apol_class_query {} apol_class_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_class_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
@@ -839,7 +878,7 @@ typedef struct apol_class_query {} apol_class_query_t;
|
|
/* apol common query */
|
|
typedef struct apol_common_query {} apol_common_query_t;
|
|
%extend apol_common_query_t {
|
|
- apol_common_query_t() {
|
|
+ apol_common_query() {
|
|
apol_common_query_t *cq;
|
|
BEGIN_EXCEPTION
|
|
cq = apol_common_query_create();
|
|
@@ -850,7 +889,7 @@ typedef struct apol_common_query {} apol_common_query_t;
|
|
fail:
|
|
return cq;
|
|
};
|
|
- ~apol_common_query_t() {
|
|
+ ~apol_common_query() {
|
|
apol_common_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -864,7 +903,8 @@ typedef struct apol_common_query {} apol_common_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_common(apol_policy_t *p, char *name) {
|
|
+ %rename(set_common) wrap_set_common;
|
|
+ void wrap_set_common(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_common_query_set_common(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -873,7 +913,8 @@ typedef struct apol_common_query {} apol_common_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_common_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
@@ -881,7 +922,7 @@ typedef struct apol_common_query {} apol_common_query_t;
|
|
/* apol perm query */
|
|
typedef struct apol_perm_query {} apol_perm_query_t;
|
|
%extend apol_perm_query_t {
|
|
- apol_perm_query_t() {
|
|
+ apol_perm_query() {
|
|
apol_perm_query_t *pq;
|
|
BEGIN_EXCEPTION
|
|
pq = apol_perm_query_create();
|
|
@@ -892,7 +933,7 @@ typedef struct apol_perm_query {} apol_perm_query_t;
|
|
fail:
|
|
return pq;
|
|
};
|
|
- ~apol_perm_query_t() {
|
|
+ ~apol_perm_query() {
|
|
apol_perm_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -906,7 +947,8 @@ typedef struct apol_perm_query {} apol_perm_query_t;
|
|
fail:
|
|
return (apol_string_vector_t*)v;
|
|
};
|
|
- void set_perm(apol_policy_t *p, char *name) {
|
|
+ %rename(set_perm) wrap_set_perm;
|
|
+ void wrap_set_perm(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_perm_query_set_perm(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -915,7 +957,8 @@ typedef struct apol_perm_query {} apol_perm_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_perm_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
@@ -923,7 +966,7 @@ typedef struct apol_perm_query {} apol_perm_query_t;
|
|
/* apol bool query */
|
|
typedef struct apol_bool_query {} apol_bool_query_t;
|
|
%extend apol_bool_query_t {
|
|
- apol_bool_query_t() {
|
|
+ apol_bool_query() {
|
|
apol_bool_query_t *bq;
|
|
BEGIN_EXCEPTION
|
|
bq = apol_bool_query_create();
|
|
@@ -934,7 +977,7 @@ typedef struct apol_bool_query {} apol_bool_query_t;
|
|
fail:
|
|
return bq;
|
|
};
|
|
- ~apol_bool_query_t() {
|
|
+ ~apol_bool_query() {
|
|
apol_bool_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -948,7 +991,8 @@ typedef struct apol_bool_query {} apol_bool_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_bool(apol_policy_t *p, char *name) {
|
|
+ %rename(set_bool) wrap_set_bool;
|
|
+ void wrap_set_bool(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_bool_query_set_bool(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -957,7 +1001,8 @@ typedef struct apol_bool_query {} apol_bool_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_bool_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
@@ -965,7 +1010,7 @@ typedef struct apol_bool_query {} apol_bool_query_t;
|
|
/* apol mls level */
|
|
typedef struct apol_mls_level {} apol_mls_level_t;
|
|
%extend apol_mls_level_t {
|
|
- apol_mls_level_t() {
|
|
+ apol_mls_level() {
|
|
apol_mls_level_t *aml;
|
|
BEGIN_EXCEPTION
|
|
aml = apol_mls_level_create();
|
|
@@ -976,7 +1021,7 @@ typedef struct apol_mls_level {} apol_mls_level_t;
|
|
fail:
|
|
return aml;
|
|
};
|
|
- apol_mls_level_t(apol_mls_level_t *in) {
|
|
+ apol_mls_level(apol_mls_level_t *in) {
|
|
apol_mls_level_t *aml;
|
|
BEGIN_EXCEPTION
|
|
aml = apol_mls_level_create_from_mls_level(in);
|
|
@@ -987,7 +1032,7 @@ typedef struct apol_mls_level {} apol_mls_level_t;
|
|
fail:
|
|
return aml;
|
|
};
|
|
- apol_mls_level_t(apol_policy_t *p, const char *str) {
|
|
+ apol_mls_level(apol_policy_t *p, const char *str) {
|
|
apol_mls_level_t *aml;
|
|
BEGIN_EXCEPTION
|
|
aml = apol_mls_level_create_from_string(p, str);
|
|
@@ -998,7 +1043,7 @@ typedef struct apol_mls_level {} apol_mls_level_t;
|
|
fail:
|
|
return aml;
|
|
};
|
|
- apol_mls_level_t(const char *str) {
|
|
+ apol_mls_level(const char *str) {
|
|
apol_mls_level_t *aml;
|
|
BEGIN_EXCEPTION
|
|
aml = apol_mls_level_create_from_literal(str);
|
|
@@ -1009,7 +1054,7 @@ typedef struct apol_mls_level {} apol_mls_level_t;
|
|
fail:
|
|
return aml;
|
|
};
|
|
- apol_mls_level_t(apol_policy_t *p, qpol_mls_level_t *qml) {
|
|
+ apol_mls_level(apol_policy_t *p, qpol_mls_level_t *qml) {
|
|
apol_mls_level_t *aml;
|
|
BEGIN_EXCEPTION
|
|
aml = apol_mls_level_create_from_qpol_mls_level(p, qml);
|
|
@@ -1020,7 +1065,7 @@ typedef struct apol_mls_level {} apol_mls_level_t;
|
|
fail:
|
|
return aml;
|
|
};
|
|
- apol_mls_level_t(apol_policy_t *p, qpol_level_t *ql) {
|
|
+ apol_mls_level(apol_policy_t *p, qpol_level_t *ql) {
|
|
apol_mls_level_t *aml;
|
|
BEGIN_EXCEPTION
|
|
aml = apol_mls_level_create_from_qpol_level_datum(p, ql);
|
|
@@ -1031,10 +1076,11 @@ typedef struct apol_mls_level {} apol_mls_level_t;
|
|
fail:
|
|
return aml;
|
|
};
|
|
- ~apol_mls_level_t() {
|
|
+ ~apol_mls_level() {
|
|
apol_mls_level_destroy(&self);
|
|
};
|
|
- void set_sens(apol_policy_t *p, char *sens) {
|
|
+ %rename(set_sens) wrap_set_sens;
|
|
+ void wrap_set_sens(apol_policy_t *p, char *sens) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_mls_level_set_sens(p, self, sens)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set level sensitivity");
|
|
@@ -1043,10 +1089,12 @@ typedef struct apol_mls_level {} apol_mls_level_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const char *get_sens() {
|
|
+ %rename(get_sens) wrap_get_sens;
|
|
+ const char *wrap_get_sens() {
|
|
return apol_mls_level_get_sens(self);
|
|
};
|
|
- void append_cats(apol_policy_t *p, char *cats) {
|
|
+ %rename(append_cats) wrap_append_cats;
|
|
+ void wrap_append_cats(apol_policy_t *p, char *cats) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_mls_level_append_cats(p, self, cats)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not append level category");
|
|
@@ -1055,10 +1103,12 @@ typedef struct apol_mls_level {} apol_mls_level_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const apol_string_vector_t *get_cats() {
|
|
+ %rename(get_cats) wrap_get_cats;
|
|
+ const apol_string_vector_t *wrap_get_cats() {
|
|
return (apol_string_vector_t *) apol_mls_level_get_cats(self);
|
|
};
|
|
- int validate(apol_policy_t *p) {
|
|
+ %rename(validate) wrap_validate;
|
|
+ int wrap_validate(apol_policy_t *p) {
|
|
int ret = -1;
|
|
BEGIN_EXCEPTION
|
|
ret = apol_mls_level_validate(p, self);
|
|
@@ -1070,7 +1120,8 @@ typedef struct apol_mls_level {} apol_mls_level_t;
|
|
return ret;
|
|
}
|
|
%newobject render(apol_policy_t*);
|
|
- char *render(apol_policy_t *p) {
|
|
+ %rename(render) wrap_render;
|
|
+ char *wrap_render(apol_policy_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = apol_mls_level_render(p, self);
|
|
@@ -1081,7 +1132,8 @@ typedef struct apol_mls_level {} apol_mls_level_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- int convert(apol_policy_t *p) {
|
|
+ %rename(convert) wrap_convert;
|
|
+ int wrap_convert(apol_policy_t *p) {
|
|
int ret = -1;
|
|
BEGIN_EXCEPTION
|
|
ret = apol_mls_level_convert(p, self);
|
|
@@ -1092,7 +1144,8 @@ typedef struct apol_mls_level {} apol_mls_level_t;
|
|
fail:
|
|
return ret;
|
|
}
|
|
- int is_literal() {
|
|
+ %rename(is_literal) wrap_is_literal;
|
|
+ int wrap_is_literal() {
|
|
int ret = -1;
|
|
BEGIN_EXCEPTION
|
|
ret = apol_mls_level_is_literal(self);
|
|
@@ -1128,7 +1181,7 @@ int apol_mls_cats_compare(apol_policy_t * p, const char *cat1, const char *cat2)
|
|
#endif
|
|
typedef struct apol_mls_range {} apol_mls_range_t;
|
|
%extend apol_mls_range_t {
|
|
- apol_mls_range_t() {
|
|
+ apol_mls_range() {
|
|
apol_mls_range_t *amr;
|
|
BEGIN_EXCEPTION
|
|
amr = apol_mls_range_create();
|
|
@@ -1139,7 +1192,7 @@ typedef struct apol_mls_range {} apol_mls_range_t;
|
|
fail:
|
|
return amr;
|
|
};
|
|
- apol_mls_range_t(apol_mls_range_t *in) {
|
|
+ apol_mls_range(apol_mls_range_t *in) {
|
|
apol_mls_range_t *amr;
|
|
BEGIN_EXCEPTION
|
|
amr = apol_mls_range_create_from_mls_range(in);
|
|
@@ -1150,7 +1203,7 @@ typedef struct apol_mls_range {} apol_mls_range_t;
|
|
fail:
|
|
return amr;
|
|
};
|
|
- apol_mls_range_t(apol_policy_t *p, const char *s) {
|
|
+ apol_mls_range(apol_policy_t *p, const char *s) {
|
|
apol_mls_range_t *amr;
|
|
BEGIN_EXCEPTION
|
|
amr = apol_mls_range_create_from_string(p, s);
|
|
@@ -1161,7 +1214,7 @@ typedef struct apol_mls_range {} apol_mls_range_t;
|
|
fail:
|
|
return amr;
|
|
};
|
|
- apol_mls_range_t(const char *s) {
|
|
+ apol_mls_range(const char *s) {
|
|
apol_mls_range_t *amr;
|
|
BEGIN_EXCEPTION
|
|
amr = apol_mls_range_create_from_literal(s);
|
|
@@ -1172,7 +1225,7 @@ typedef struct apol_mls_range {} apol_mls_range_t;
|
|
fail:
|
|
return amr;
|
|
};
|
|
- apol_mls_range_t(apol_policy_t *p, qpol_mls_range_t *in) {
|
|
+ apol_mls_range(apol_policy_t *p, qpol_mls_range_t *in) {
|
|
apol_mls_range_t *amr;
|
|
BEGIN_EXCEPTION
|
|
amr = apol_mls_range_create_from_qpol_mls_range(p, in);
|
|
@@ -1183,10 +1236,11 @@ typedef struct apol_mls_range {} apol_mls_range_t;
|
|
fail:
|
|
return amr;
|
|
};
|
|
- ~apol_mls_range_t() {
|
|
+ ~apol_mls_range() {
|
|
apol_mls_range_destroy(&self);
|
|
};
|
|
- void set_low(apol_policy_t *p, apol_mls_level_t *lvl) {
|
|
+ %rename(set_low) wrap_set_low;
|
|
+ void wrap_set_low(apol_policy_t *p, apol_mls_level_t *lvl) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_mls_range_set_low(p, self, lvl)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set low level");
|
|
@@ -1195,7 +1249,8 @@ typedef struct apol_mls_range {} apol_mls_range_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_high(apol_policy_t *p, apol_mls_level_t *lvl) {
|
|
+ %rename(set_high) wrap_set_high;
|
|
+ void wrap_set_high(apol_policy_t *p, apol_mls_level_t *lvl) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_mls_range_set_high(p, self, lvl)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set high level");
|
|
@@ -1204,14 +1259,17 @@ typedef struct apol_mls_range {} apol_mls_range_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const apol_mls_level_t *get_low() {
|
|
+ %rename(get_low) wrap_get_low;
|
|
+ const apol_mls_level_t *wrap_get_low() {
|
|
return apol_mls_range_get_low(self);
|
|
}
|
|
- const apol_mls_level_t *get_high() {
|
|
+ %rename(get_high) wrap_get_high;
|
|
+ const apol_mls_level_t *wrap_get_high() {
|
|
return apol_mls_range_get_high(self);
|
|
}
|
|
%newobject render(apol_policy_t*);
|
|
- char *render(apol_policy_t *p) {
|
|
+ %rename(render) wrap_render;
|
|
+ char *wrap_render(apol_policy_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = apol_mls_range_render(p, self);
|
|
@@ -1223,7 +1281,8 @@ typedef struct apol_mls_range {} apol_mls_range_t;
|
|
return str;
|
|
};
|
|
%newobject get_levels(apol_policy_t*);
|
|
- apol_vector_t *get_levels(apol_policy_t *p) {
|
|
+ %rename(get_levels) wrap_get_levels;
|
|
+ apol_vector_t *wrap_get_levels(apol_policy_t *p) {
|
|
apol_vector_t *v;
|
|
BEGIN_EXCEPTION
|
|
v = apol_mls_range_get_levels(p, self);
|
|
@@ -1234,7 +1293,8 @@ typedef struct apol_mls_range {} apol_mls_range_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- int validate(apol_policy_t *p) {
|
|
+ %rename(validate) wrap_validate;
|
|
+ int wrap_validate(apol_policy_t *p) {
|
|
int ret = apol_mls_range_validate(p, self);
|
|
BEGIN_EXCEPTION
|
|
if (ret < 0) {
|
|
@@ -1244,7 +1304,8 @@ typedef struct apol_mls_range {} apol_mls_range_t;
|
|
fail:
|
|
return ret;
|
|
}
|
|
- int is_literal() {
|
|
+ %rename(is_literal) wrap_is_literal;
|
|
+ int wrap_is_literal() {
|
|
int ret = -1;
|
|
BEGIN_EXCEPTION
|
|
ret = apol_mls_range_is_literal(self);
|
|
@@ -1255,7 +1316,8 @@ typedef struct apol_mls_range {} apol_mls_range_t;
|
|
fail:
|
|
return ret;
|
|
}
|
|
- int convert(apol_policy_t *p) {
|
|
+ %rename(convert) wrap_convert;
|
|
+ int wrap_convert(apol_policy_t *p) {
|
|
int ret = -1;
|
|
BEGIN_EXCEPTION
|
|
ret = apol_mls_range_convert(p, self);
|
|
@@ -1278,7 +1340,7 @@ int apol_mls_range_contain_subrange(apol_policy_t * p, const apol_mls_range_t *
|
|
/* apol level query */
|
|
typedef struct apol_level_query {} apol_level_query_t;
|
|
%extend apol_level_query_t {
|
|
- apol_level_query_t() {
|
|
+ apol_level_query() {
|
|
apol_level_query_t * alq;
|
|
BEGIN_EXCEPTION
|
|
alq = apol_level_query_create();
|
|
@@ -1289,7 +1351,7 @@ typedef struct apol_level_query {} apol_level_query_t;
|
|
fail:
|
|
return alq;
|
|
};
|
|
- ~apol_level_query_t() {
|
|
+ ~apol_level_query() {
|
|
apol_level_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -1303,7 +1365,8 @@ typedef struct apol_level_query {} apol_level_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_sens(apol_policy_t *p, char *name) {
|
|
+ %rename(set_sens) wrap_set_sens;
|
|
+ void wrap_set_sens(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_level_query_set_sens(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1312,7 +1375,8 @@ typedef struct apol_level_query {} apol_level_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_cat(apol_policy_t *p, char *name) {
|
|
+ %rename(set_cat) wrap_set_cat;
|
|
+ void wrap_set_cat(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_level_query_set_cat(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1321,7 +1385,8 @@ typedef struct apol_level_query {} apol_level_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_level_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
@@ -1329,7 +1394,7 @@ typedef struct apol_level_query {} apol_level_query_t;
|
|
/* apol cat query */
|
|
typedef struct apol_cat_query {} apol_cat_query_t;
|
|
%extend apol_cat_query_t {
|
|
- apol_cat_query_t() {
|
|
+ apol_cat_query() {
|
|
apol_cat_query_t * acq;
|
|
BEGIN_EXCEPTION
|
|
acq = apol_cat_query_create();
|
|
@@ -1340,7 +1405,7 @@ typedef struct apol_cat_query {} apol_cat_query_t;
|
|
fail:
|
|
return acq;
|
|
};
|
|
- ~apol_cat_query_t() {
|
|
+ ~apol_cat_query() {
|
|
apol_cat_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t *);
|
|
@@ -1354,7 +1419,8 @@ typedef struct apol_cat_query {} apol_cat_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_cat(apol_policy_t *p, char *name) {
|
|
+ %rename(set_cat) wrap_set_cat;
|
|
+ void wrap_set_cat(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_cat_query_set_cat(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1363,7 +1429,8 @@ typedef struct apol_cat_query {} apol_cat_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_cat_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
@@ -1379,7 +1446,7 @@ typedef struct apol_cat_query {} apol_cat_query_t;
|
|
#endif
|
|
typedef struct apol_user_query {} apol_user_query_t;
|
|
%extend apol_user_query_t {
|
|
- apol_user_query_t() {
|
|
+ apol_user_query() {
|
|
apol_user_query_t *auq;
|
|
BEGIN_EXCEPTION
|
|
auq = apol_user_query_create();
|
|
@@ -1390,7 +1457,7 @@ typedef struct apol_user_query {} apol_user_query_t;
|
|
fail:
|
|
return auq;
|
|
};
|
|
- ~apol_user_query_t() {
|
|
+ ~apol_user_query() {
|
|
apol_user_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -1404,7 +1471,8 @@ typedef struct apol_user_query {} apol_user_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_user(apol_policy_t *p, char *name) {
|
|
+ %rename(set_user) wrap_set_user;
|
|
+ void wrap_set_user(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_user_query_set_user(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1413,7 +1481,8 @@ typedef struct apol_user_query {} apol_user_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_role(apol_policy_t *p, char *name) {
|
|
+ %rename(set_role) wrap_set_role;
|
|
+ void wrap_set_role(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_user_query_set_role(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1422,7 +1491,8 @@ typedef struct apol_user_query {} apol_user_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_default_level(apol_policy_t *p, apol_mls_level_t *lvl) {
|
|
+ %rename(set_default_level) wrap_set_default_level;
|
|
+ void wrap_set_default_level(apol_policy_t *p, apol_mls_level_t *lvl) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_user_query_set_default_level(p, self, lvl)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1431,7 +1501,8 @@ typedef struct apol_user_query {} apol_user_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_range(apol_policy_t *p, apol_mls_range_t *rng, int range_match) {
|
|
+ %rename(set_range) wrap_set_range;
|
|
+ void wrap_set_range(apol_policy_t *p, apol_mls_range_t *rng, int range_match) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_user_query_set_range(p, self, rng, range_match)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1440,7 +1511,8 @@ typedef struct apol_user_query {} apol_user_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_user_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
@@ -1448,7 +1520,7 @@ typedef struct apol_user_query {} apol_user_query_t;
|
|
/* apol context */
|
|
typedef struct apol_context {} apol_context_t;
|
|
%extend apol_context_t {
|
|
- apol_context_t() {
|
|
+ apol_context() {
|
|
apol_context_t *ctx;
|
|
BEGIN_EXCEPTION
|
|
ctx = apol_context_create();
|
|
@@ -1459,7 +1531,7 @@ typedef struct apol_context {} apol_context_t;
|
|
fail:
|
|
return ctx;
|
|
};
|
|
- apol_context_t(apol_policy_t *p, qpol_context_t *in) {
|
|
+ apol_context(apol_policy_t *p, qpol_context_t *in) {
|
|
apol_context_t *ctx;
|
|
BEGIN_EXCEPTION
|
|
ctx = apol_context_create_from_qpol_context(p, in);
|
|
@@ -1470,7 +1542,7 @@ typedef struct apol_context {} apol_context_t;
|
|
fail:
|
|
return ctx;
|
|
};
|
|
- apol_context_t(const char *str) {
|
|
+ apol_context(const char *str) {
|
|
apol_context_t *ctx;
|
|
BEGIN_EXCEPTION
|
|
ctx = apol_context_create_from_literal(str);
|
|
@@ -1481,10 +1553,11 @@ typedef struct apol_context {} apol_context_t;
|
|
fail:
|
|
return ctx;
|
|
};
|
|
- ~apol_context_t() {
|
|
+ ~apol_context() {
|
|
apol_context_destroy(&self);
|
|
};
|
|
- void set_user(apol_policy_t *p, char *name) {
|
|
+ %rename(set_user) wrap_set_user;
|
|
+ void wrap_set_user(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_context_set_user(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1493,10 +1566,12 @@ typedef struct apol_context {} apol_context_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const char *get_user() {
|
|
+ %rename(get_user) wrap_get_user;
|
|
+ const char *wrap_get_user() {
|
|
return apol_context_get_user(self);
|
|
};
|
|
- void set_role(apol_policy_t *p, char *name) {
|
|
+ %rename(set_role) wrap_set_role;
|
|
+ void wrap_set_role(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_context_set_role(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1505,10 +1580,12 @@ typedef struct apol_context {} apol_context_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const char *get_role() {
|
|
+ %rename(get_role) wrap_get_role;
|
|
+ const char *wrap_get_role() {
|
|
return apol_context_get_role(self);
|
|
};
|
|
- void set_type(apol_policy_t *p, char *name) {
|
|
+ %rename(set_type) wrap_set_type;
|
|
+ void wrap_set_type(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_context_set_type(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1517,10 +1594,12 @@ typedef struct apol_context {} apol_context_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const char *get_type() {
|
|
+ %rename(get_type) wrap_get_type;
|
|
+ const char *wrap_get_type() {
|
|
return apol_context_get_type(self);
|
|
};
|
|
- void set_range(apol_policy_t *p, apol_mls_range_t *rng) {
|
|
+ %rename(set_range) wrap_set_range;
|
|
+ void wrap_set_range(apol_policy_t *p, apol_mls_range_t *rng) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_context_set_range(p, self, rng)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1529,10 +1608,12 @@ typedef struct apol_context {} apol_context_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const apol_mls_range_t *get_range() {
|
|
+ %rename(get_range) wrap_get_range;
|
|
+ const apol_mls_range_t *wrap_get_range() {
|
|
return apol_context_get_range(self);
|
|
};
|
|
- int validate(apol_policy_t *p) {
|
|
+ %rename(validate) wrap_validate;
|
|
+ int wrap_validate(apol_policy_t *p) {
|
|
int ret = -1;
|
|
BEGIN_EXCEPTION
|
|
ret = apol_context_validate(p, self);
|
|
@@ -1543,7 +1624,8 @@ typedef struct apol_context {} apol_context_t;
|
|
fail:
|
|
return ret;
|
|
}
|
|
- int validate_partial(apol_policy_t *p) {
|
|
+ %rename(validate_partial) wrap_validate_partial;
|
|
+ int wrap_validate_partial(apol_policy_t *p) {
|
|
int ret = -1;
|
|
BEGIN_EXCEPTION
|
|
ret = apol_context_validate_partial(p, self);
|
|
@@ -1555,7 +1637,8 @@ typedef struct apol_context {} apol_context_t;
|
|
return ret;
|
|
}
|
|
%newobject render(apol_policy_t*);
|
|
- char *render(apol_policy_t *p) {
|
|
+ %rename(render) wrap_render;
|
|
+ char *wrap_render(apol_policy_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = apol_context_render(p, self);
|
|
@@ -1566,7 +1649,8 @@ typedef struct apol_context {} apol_context_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- int convert(apol_policy_t *p) {
|
|
+ %rename(convert) wrap_convert;
|
|
+ int wrap_convert(apol_policy_t *p) {
|
|
int ret = -1;
|
|
BEGIN_EXCEPTION
|
|
ret = apol_context_convert(p, self);
|
|
@@ -1583,7 +1667,7 @@ int apol_context_compare(apol_policy_t * p, apol_context_t * target, apol_contex
|
|
/* apol constraint query */
|
|
typedef struct apol_constraint_query {} apol_constraint_query_t;
|
|
%extend apol_constraint_query_t {
|
|
- apol_constraint_query_t() {
|
|
+ apol_constraint_query() {
|
|
apol_constraint_query_t *acq;
|
|
BEGIN_EXCEPTION
|
|
acq = apol_constraint_query_create();
|
|
@@ -1594,7 +1678,7 @@ typedef struct apol_constraint_query {} apol_constraint_query_t;
|
|
fail:
|
|
return acq;
|
|
};
|
|
- ~apol_constraint_query_t() {
|
|
+ ~apol_constraint_query() {
|
|
apol_constraint_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -1608,7 +1692,8 @@ typedef struct apol_constraint_query {} apol_constraint_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_class(apol_policy_t *p, char *name) {
|
|
+ %rename(set_class) wrap_set_class;
|
|
+ void wrap_set_class(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_constraint_query_set_class(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1617,7 +1702,8 @@ typedef struct apol_constraint_query {} apol_constraint_query_t;
|
|
fail:
|
|
return;
|
|
}
|
|
- void set_perm(apol_policy_t *p, char *name) {
|
|
+ %rename(set_perm) wrap_set_perm;
|
|
+ void wrap_set_perm(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_constraint_query_set_perm(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1626,7 +1712,8 @@ typedef struct apol_constraint_query {} apol_constraint_query_t;
|
|
fail:
|
|
return;
|
|
}
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_constraint_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
@@ -1634,7 +1721,7 @@ typedef struct apol_constraint_query {} apol_constraint_query_t;
|
|
/* apol validatetrans query */
|
|
typedef struct apol_validatetrans_query {} apol_validatetrans_query_t;
|
|
%extend apol_validatetrans_query_t {
|
|
- apol_validatetrans_query_t() {
|
|
+ apol_validatetrans_query() {
|
|
apol_validatetrans_query_t *avq;
|
|
BEGIN_EXCEPTION
|
|
avq = apol_validatetrans_query_create();
|
|
@@ -1645,7 +1732,7 @@ typedef struct apol_validatetrans_query {} apol_validatetrans_query_t;
|
|
fail:
|
|
return avq;
|
|
};
|
|
- ~apol_validatetrans_query_t() {
|
|
+ ~apol_validatetrans_query() {
|
|
apol_validatetrans_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -1659,7 +1746,8 @@ typedef struct apol_validatetrans_query {} apol_validatetrans_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_class(apol_policy_t *p, char *name) {
|
|
+ %rename(set_class) wrap_set_class;
|
|
+ void wrap_set_class(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_validatetrans_query_set_class(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1668,7 +1756,8 @@ typedef struct apol_validatetrans_query {} apol_validatetrans_query_t;
|
|
fail:
|
|
return;
|
|
}
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_validatetrans_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
@@ -1684,7 +1773,7 @@ typedef struct apol_validatetrans_query {} apol_validatetrans_query_t;
|
|
#endif
|
|
typedef struct apol_genfscon_query {} apol_genfscon_query_t;
|
|
%extend apol_genfscon_query_t {
|
|
- apol_genfscon_query_t() {
|
|
+ apol_genfscon_query() {
|
|
apol_genfscon_query_t *agq;
|
|
BEGIN_EXCEPTION
|
|
agq = apol_genfscon_query_create();
|
|
@@ -1695,7 +1784,7 @@ typedef struct apol_genfscon_query {} apol_genfscon_query_t;
|
|
fail:
|
|
return agq;
|
|
};
|
|
- ~apol_genfscon_query_t() {
|
|
+ ~apol_genfscon_query() {
|
|
apol_genfscon_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -1709,7 +1798,8 @@ typedef struct apol_genfscon_query {} apol_genfscon_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_filesystem(apol_policy_t *p, char *fs) {
|
|
+ %rename(set_filesystem) wrap_set_filesystem;
|
|
+ void wrap_set_filesystem(apol_policy_t *p, char *fs) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_genfscon_query_set_filesystem(p, self, fs)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1718,7 +1808,8 @@ typedef struct apol_genfscon_query {} apol_genfscon_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_path(apol_policy_t *p, char *path) {
|
|
+ %rename(set_path) wrap_set_path;
|
|
+ void wrap_set_path(apol_policy_t *p, char *path) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_genfscon_query_set_path(p, self, path)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1727,7 +1818,8 @@ typedef struct apol_genfscon_query {} apol_genfscon_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_objclass(apol_policy_t *p, int objclass) {
|
|
+ %rename(set_objclass) wrap_set_objclass;
|
|
+ void wrap_set_objclass(apol_policy_t *p, int objclass) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_genfscon_query_set_objclass(p, self, objclass)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set object class for genfscon query");
|
|
@@ -1736,7 +1828,8 @@ typedef struct apol_genfscon_query {} apol_genfscon_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) {
|
|
+ %rename(set_context) wrap_set_context;
|
|
+ void wrap_set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) {
|
|
apol_genfscon_query_set_context(p, self, ctx, range_match);
|
|
};
|
|
};
|
|
@@ -1746,7 +1839,7 @@ char *apol_genfscon_render(apol_policy_t * p, qpol_genfscon_t * genfscon);
|
|
/* apol fs_use query */
|
|
typedef struct apol_fs_use_query {} apol_fs_use_query_t;
|
|
%extend apol_fs_use_query_t {
|
|
- apol_fs_use_query_t() {
|
|
+ apol_fs_use_query() {
|
|
apol_fs_use_query_t *afq;
|
|
BEGIN_EXCEPTION
|
|
afq = apol_fs_use_query_create();
|
|
@@ -1757,7 +1850,7 @@ typedef struct apol_fs_use_query {} apol_fs_use_query_t;
|
|
fail:
|
|
return afq;
|
|
};
|
|
- ~apol_fs_use_query_t() {
|
|
+ ~apol_fs_use_query() {
|
|
apol_fs_use_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -1771,7 +1864,8 @@ typedef struct apol_fs_use_query {} apol_fs_use_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_filesystem(apol_policy_t *p, char *fs) {
|
|
+ %rename(set_filesystem) wrap_set_filesystem;
|
|
+ void wrap_set_filesystem(apol_policy_t *p, char *fs) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_fs_use_query_set_filesystem(p, self, fs)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1780,7 +1874,8 @@ typedef struct apol_fs_use_query {} apol_fs_use_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_behavior(apol_policy_t *p, int behavior) {
|
|
+ %rename(set_behavior) wrap_set_behavior;
|
|
+ void wrap_set_behavior(apol_policy_t *p, int behavior) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_fs_use_query_set_behavior(p, self, behavior)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set behavior for fs_use query");
|
|
@@ -1789,7 +1884,8 @@ typedef struct apol_fs_use_query {} apol_fs_use_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) {
|
|
+ %rename(set_context) wrap_set_context;
|
|
+ void wrap_set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) {
|
|
apol_fs_use_query_set_context(p, self, ctx, range_match);
|
|
};
|
|
};
|
|
@@ -1799,7 +1895,7 @@ char *apol_fs_use_render(apol_policy_t * p, qpol_fs_use_t * fsuse);
|
|
/* apol initial sid query */
|
|
typedef struct apol_isid_query {} apol_isid_query_t;
|
|
%extend apol_isid_query_t {
|
|
- apol_isid_query_t() {
|
|
+ apol_isid_query() {
|
|
apol_isid_query_t *aiq;
|
|
BEGIN_EXCEPTION
|
|
aiq = apol_isid_query_create();
|
|
@@ -1810,7 +1906,7 @@ typedef struct apol_isid_query {} apol_isid_query_t;
|
|
fail:
|
|
return aiq;
|
|
};
|
|
- ~apol_isid_query_t() {
|
|
+ ~apol_isid_query() {
|
|
apol_isid_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -1824,7 +1920,8 @@ typedef struct apol_isid_query {} apol_isid_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_name(apol_policy_t *p, char *name) {
|
|
+ %rename(set_name) wrap_set_name;
|
|
+ void wrap_set_name(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_isid_query_set_name(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1833,7 +1930,8 @@ typedef struct apol_isid_query {} apol_isid_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) {
|
|
+ %rename(set_context) wrap_set_context;
|
|
+ void wrap_set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) {
|
|
apol_isid_query_set_context(p, self, ctx, range_match);
|
|
};
|
|
};
|
|
@@ -1841,7 +1939,7 @@ typedef struct apol_isid_query {} apol_isid_query_t;
|
|
/* apol portcon query */
|
|
typedef struct apol_portcon_query {} apol_portcon_query_t;
|
|
%extend apol_portcon_query_t {
|
|
- apol_portcon_query_t() {
|
|
+ apol_portcon_query() {
|
|
apol_portcon_query_t *apq;
|
|
BEGIN_EXCEPTION
|
|
apq = apol_portcon_query_create();
|
|
@@ -1852,7 +1950,7 @@ typedef struct apol_portcon_query {} apol_portcon_query_t;
|
|
fail:
|
|
return apq;
|
|
};
|
|
- ~apol_portcon_query_t() {
|
|
+ ~apol_portcon_query() {
|
|
apol_portcon_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -1866,16 +1964,20 @@ typedef struct apol_portcon_query {} apol_portcon_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_protocol(apol_policy_t *p, int protocol) {
|
|
+ %rename(set_protocol) wrap_set_protocol;
|
|
+ void wrap_set_protocol(apol_policy_t *p, int protocol) {
|
|
apol_portcon_query_set_protocol(p, self, protocol);
|
|
};
|
|
- void set_low(apol_policy_t *p, int port) {
|
|
+ %rename(set_low) wrap_set_low;
|
|
+ void wrap_set_low(apol_policy_t *p, int port) {
|
|
apol_portcon_query_set_low(p, self, port);
|
|
};
|
|
- void set_high(apol_policy_t *p, int port) {
|
|
+ %rename(set_high) wrap_set_high;
|
|
+ void wrap_set_high(apol_policy_t *p, int port) {
|
|
apol_portcon_query_set_high(p, self, port);
|
|
};
|
|
- void set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) {
|
|
+ %rename(set_context) wrap_set_context;
|
|
+ void wrap_set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) {
|
|
apol_portcon_query_set_context(p, self, ctx, range_match);
|
|
};
|
|
};
|
|
@@ -1884,8 +1986,9 @@ char *apol_portcon_render(apol_policy_t * p, qpol_portcon_t * portcon);
|
|
|
|
/* apol netifcon query */
|
|
typedef struct apol_netifcon_query {} apol_netifcon_query_t;
|
|
+%rename(apol_netifcon_query_set_msg_context) apol_netifcon_query_set_msg_context;
|
|
%extend apol_netifcon_query_t {
|
|
- apol_netifcon_query_t() {
|
|
+ apol_netifcon_query() {
|
|
apol_netifcon_query_t *anq;
|
|
BEGIN_EXCEPTION
|
|
anq = apol_netifcon_query_create();
|
|
@@ -1896,7 +1999,7 @@ typedef struct apol_netifcon_query {} apol_netifcon_query_t;
|
|
fail:
|
|
return anq;
|
|
};
|
|
- ~apol_netifcon_query_t() {
|
|
+ ~apol_netifcon_query() {
|
|
apol_netifcon_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -1910,7 +2013,8 @@ typedef struct apol_netifcon_query {} apol_netifcon_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_device(apol_policy_t *p, char *name) {
|
|
+ %rename(set_device) wrap_set_device;
|
|
+ void wrap_set_device(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_netifcon_query_set_device(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -1919,10 +2023,12 @@ typedef struct apol_netifcon_query {} apol_netifcon_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_if_context(apol_policy_t *p, apol_context_t *ctx, int range_match) {
|
|
+ %rename(set_if_context) wrap_set_if_context;
|
|
+ void wrap_set_if_context(apol_policy_t *p, apol_context_t *ctx, int range_match) {
|
|
apol_netifcon_query_set_if_context(p, self, ctx, range_match);
|
|
};
|
|
- void set_msg_context(apol_policy_t *p, apol_context_t *ctx, int range_match) {
|
|
+ %rename(set_msg_context) wrap_set_msg_context;
|
|
+ void wrap_set_msg_context(apol_policy_t *p, apol_context_t *ctx, int range_match) {
|
|
apol_netifcon_query_set_msg_context(p, self, ctx, range_match);
|
|
};
|
|
};
|
|
@@ -1932,7 +2038,7 @@ char *apol_netifcon_render(apol_policy_t * p, qpol_netifcon_t * netifcon);
|
|
/* apol nodecon query */
|
|
typedef struct apol_nodecon_query {} apol_nodecon_query_t;
|
|
%extend apol_nodecon_query_t {
|
|
- apol_nodecon_query_t() {
|
|
+ apol_nodecon_query() {
|
|
apol_nodecon_query_t *anq;
|
|
BEGIN_EXCEPTION
|
|
anq = apol_nodecon_query_create();
|
|
@@ -1943,7 +2049,7 @@ typedef struct apol_nodecon_query {} apol_nodecon_query_t;
|
|
fail:
|
|
return anq;
|
|
};
|
|
- ~apol_nodecon_query_t() {
|
|
+ ~apol_nodecon_query() {
|
|
apol_nodecon_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -1957,7 +2063,8 @@ typedef struct apol_nodecon_query {} apol_nodecon_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_protocol(apol_policy_t *p, int protocol) {
|
|
+ %rename(set_protocol) wrap_set_protocol;
|
|
+ void wrap_set_protocol(apol_policy_t *p, int protocol) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_nodecon_query_set_protocol(p, self, protocol)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set protocol for nodecon query");
|
|
@@ -2002,7 +2109,8 @@ typedef struct apol_nodecon_query {} apol_nodecon_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) {
|
|
+ %rename(set_context) wrap_set_context;
|
|
+ void wrap_set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) {
|
|
apol_nodecon_query_set_context(p, self, ctx, range_match);
|
|
};
|
|
};
|
|
@@ -2012,7 +2120,7 @@ char *apol_nodecon_render(apol_policy_t * p, qpol_nodecon_t * nodecon);
|
|
/* apol avrule query */
|
|
typedef struct apol_avrule_query {} apol_avrule_query_t;
|
|
%extend apol_avrule_query_t {
|
|
- apol_avrule_query_t() {
|
|
+ apol_avrule_query() {
|
|
apol_avrule_query_t *avq;
|
|
BEGIN_EXCEPTION
|
|
avq = apol_avrule_query_create();
|
|
@@ -2023,7 +2131,7 @@ typedef struct apol_avrule_query {} apol_avrule_query_t;
|
|
fail:
|
|
return avq;
|
|
};
|
|
- ~apol_avrule_query_t() {
|
|
+ ~apol_avrule_query() {
|
|
apol_avrule_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -2048,10 +2156,12 @@ typedef struct apol_avrule_query {} apol_avrule_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_rules(apol_policy_t *p, int rules) {
|
|
+ %rename(set_rules) wrap_set_rules;
|
|
+ void wrap_set_rules(apol_policy_t *p, int rules) {
|
|
apol_avrule_query_set_rules(p, self, rules);
|
|
};
|
|
- void set_source(apol_policy_t *p, char *name, int indirect) {
|
|
+ %rename(set_source) wrap_set_source;
|
|
+ void wrap_set_source(apol_policy_t *p, char *name, int indirect) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_avrule_query_set_source(p, self, name, indirect)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set source for avrule query");
|
|
@@ -2060,7 +2170,8 @@ typedef struct apol_avrule_query {} apol_avrule_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_source_component(apol_policy_t *p, int component) {
|
|
+ %rename(set_source_component) wrap_set_source_component;
|
|
+ void wrap_set_source_component(apol_policy_t *p, int component) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_avrule_query_set_source_component(p, self, component)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set source component for avrule query");
|
|
@@ -2069,7 +2180,8 @@ typedef struct apol_avrule_query {} apol_avrule_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_target(apol_policy_t *p, char *name, int indirect) {
|
|
+ %rename(set_target) wrap_set_target;
|
|
+ void wrap_set_target(apol_policy_t *p, char *name, int indirect) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_avrule_query_set_target(p, self, name, indirect)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set target for avrule query");
|
|
@@ -2078,7 +2190,8 @@ typedef struct apol_avrule_query {} apol_avrule_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_target_component(apol_policy_t *p, int component) {
|
|
+ %rename(set_target_component) wrap_set_target_component;
|
|
+ void wrap_set_target_component(apol_policy_t *p, int component) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_avrule_query_set_target_component(p, self, component)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set target component for avrule query");
|
|
@@ -2087,7 +2200,8 @@ typedef struct apol_avrule_query {} apol_avrule_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void append_class(apol_policy_t *p, char *name) {
|
|
+ %rename(append_class) wrap_append_class;
|
|
+ void wrap_append_class(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_avrule_query_append_class(p, self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not append class to avrule query");
|
|
@@ -2096,7 +2210,8 @@ typedef struct apol_avrule_query {} apol_avrule_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void append_perm(apol_policy_t *p, char *name) {
|
|
+ %rename(append_perm) wrap_append_perm;
|
|
+ void wrap_append_perm(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_avrule_query_append_perm(p, self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not append permission to avrule query");
|
|
@@ -2105,7 +2220,8 @@ typedef struct apol_avrule_query {} apol_avrule_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_bool(apol_policy_t *p, char *name) {
|
|
+ %rename(set_bool) wrap_set_bool;
|
|
+ void wrap_set_bool(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_avrule_query_set_bool(p, self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set boolean for avrule query");
|
|
@@ -2114,16 +2230,20 @@ typedef struct apol_avrule_query {} apol_avrule_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_enabled(apol_policy_t *p, int enabled) {
|
|
+ %rename(set_enabled) wrap_set_enabled;
|
|
+ void wrap_set_enabled(apol_policy_t *p, int enabled) {
|
|
apol_avrule_query_set_enabled(p, self, enabled);
|
|
};
|
|
- void set_all_perms(apol_policy_t *p, int all_perms) {
|
|
+ %rename(set_all_perms) wrap_set_all_perms;
|
|
+ void wrap_set_all_perms(apol_policy_t *p, int all_perms) {
|
|
apol_avrule_query_set_all_perms(p, self, all_perms);
|
|
};
|
|
- void set_source_any(apol_policy_t *p, int is_any) {
|
|
+ %rename(set_source_any) wrap_set_source_any;
|
|
+ void wrap_set_source_any(apol_policy_t *p, int is_any) {
|
|
apol_avrule_query_set_source_any(p, self, is_any);
|
|
};
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_avrule_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
@@ -2163,7 +2283,7 @@ char *apol_syn_avrule_render(apol_policy_t * policy, qpol_syn_avrule_t * rule);
|
|
/* apol terule query */
|
|
typedef struct apol_terule_query {} apol_terule_query_t;
|
|
%extend apol_terule_query_t {
|
|
- apol_terule_query_t() {
|
|
+ apol_terule_query() {
|
|
apol_terule_query_t *atq;
|
|
BEGIN_EXCEPTION
|
|
atq = apol_terule_query_create();
|
|
@@ -2174,7 +2294,7 @@ typedef struct apol_terule_query {} apol_terule_query_t;
|
|
fail:
|
|
return atq;
|
|
};
|
|
- ~apol_terule_query_t() {
|
|
+ ~apol_terule_query() {
|
|
apol_terule_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -2199,10 +2319,12 @@ typedef struct apol_terule_query {} apol_terule_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_rules(apol_policy_t *p, int rules) {
|
|
+ %rename(set_rules) wrap_set_rules;
|
|
+ void wrap_set_rules(apol_policy_t *p, int rules) {
|
|
apol_terule_query_set_rules(p, self, rules);
|
|
};
|
|
- void set_source(apol_policy_t *p, char *name, int indirect) {
|
|
+ %rename(set_source) wrap_set_source;
|
|
+ void wrap_set_source(apol_policy_t *p, char *name, int indirect) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_terule_query_set_source(p, self, name, indirect)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set source for terule query");
|
|
@@ -2211,7 +2333,8 @@ typedef struct apol_terule_query {} apol_terule_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_source_component(apol_policy_t *p, int component) {
|
|
+ %rename(set_source_component) wrap_set_source_component;
|
|
+ void wrap_set_source_component(apol_policy_t *p, int component) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_terule_query_set_source_component(p, self, component)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set source component for terule query");
|
|
@@ -2220,7 +2343,8 @@ typedef struct apol_terule_query {} apol_terule_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_target(apol_policy_t *p, char *name, int indirect) {
|
|
+ %rename(set_target) wrap_set_target;
|
|
+ void wrap_set_target(apol_policy_t *p, char *name, int indirect) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_terule_query_set_target(p, self, name, indirect)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set target for terule query");
|
|
@@ -2229,7 +2353,8 @@ typedef struct apol_terule_query {} apol_terule_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_target_component(apol_policy_t *p, int component) {
|
|
+ %rename(set_target_component) wrap_set_target_component;
|
|
+ void wrap_set_target_component(apol_policy_t *p, int component) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_terule_query_set_target_component(p, self, component)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set target component for terule query");
|
|
@@ -2238,7 +2363,8 @@ typedef struct apol_terule_query {} apol_terule_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void append_class(apol_policy_t *p, char *name) {
|
|
+ %rename(append_class) wrap_append_class;
|
|
+ void wrap_append_class(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_terule_query_append_class(p, self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not append class to terule query");
|
|
@@ -2247,7 +2373,8 @@ typedef struct apol_terule_query {} apol_terule_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_default(apol_policy_t *p, char *name) {
|
|
+ %rename(set_default) wrap_set_default;
|
|
+ void wrap_set_default(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_terule_query_set_default(p, self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set default for terule query");
|
|
@@ -2256,7 +2383,8 @@ typedef struct apol_terule_query {} apol_terule_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_bool(apol_policy_t *p, char *name) {
|
|
+ %rename(set_bool) wrap_set_bool;
|
|
+ void wrap_set_bool(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_terule_query_set_bool(p, self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set boolean for terule query");
|
|
@@ -2265,13 +2393,16 @@ typedef struct apol_terule_query {} apol_terule_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_enabled(apol_policy_t *p, int enabled) {
|
|
+ %rename(set_enabled) wrap_set_enabled;
|
|
+ void wrap_set_enabled(apol_policy_t *p, int enabled) {
|
|
apol_terule_query_set_enabled(p, self, enabled);
|
|
};
|
|
- void set_source_any(apol_policy_t *p, int is_any) {
|
|
+ %rename(set_source_any) wrap_set_source_any;
|
|
+ void wrap_set_source_any(apol_policy_t *p, int is_any) {
|
|
apol_terule_query_set_source_any(p, self, is_any);
|
|
};
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_terule_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
@@ -2287,7 +2418,7 @@ apol_vector_t *apol_terule_list_to_syn_terules(apol_policy_t * p, apol_vector_t
|
|
/* apol cond rule query */
|
|
typedef struct apol_cond_query {} apol_cond_query_t;
|
|
%extend apol_cond_query_t {
|
|
- apol_cond_query_t() {
|
|
+ apol_cond_query() {
|
|
apol_cond_query_t *acq;
|
|
BEGIN_EXCEPTION
|
|
acq = apol_cond_query_create();
|
|
@@ -2298,7 +2429,7 @@ typedef struct apol_cond_query {} apol_cond_query_t;
|
|
fail:
|
|
return acq;
|
|
};
|
|
- ~apol_cond_query_t() {
|
|
+ ~apol_cond_query() {
|
|
apol_cond_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -2312,7 +2443,8 @@ typedef struct apol_cond_query {} apol_cond_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_bool(apol_policy_t *p, char *name) {
|
|
+ %rename(set_bool) wrap_set_bool;
|
|
+ void wrap_set_bool(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_cond_query_set_bool(p, self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set boolean for condiional query");
|
|
@@ -2321,7 +2453,8 @@ typedef struct apol_cond_query {} apol_cond_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_cond_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
@@ -2331,7 +2464,7 @@ char *apol_cond_expr_render(apol_policy_t * p, qpol_cond_t * cond);
|
|
/* apol role allow query */
|
|
typedef struct apol_role_allow_query {} apol_role_allow_query_t;
|
|
%extend apol_role_allow_query_t {
|
|
- apol_role_allow_query_t() {
|
|
+ apol_role_allow_query() {
|
|
apol_role_allow_query_t *arq;
|
|
BEGIN_EXCEPTION
|
|
arq = apol_role_allow_query_create();
|
|
@@ -2342,7 +2475,7 @@ typedef struct apol_role_allow_query {} apol_role_allow_query_t;
|
|
fail:
|
|
return arq;
|
|
};
|
|
- ~apol_role_allow_query_t() {
|
|
+ ~apol_role_allow_query() {
|
|
apol_role_allow_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -2356,7 +2489,8 @@ typedef struct apol_role_allow_query {} apol_role_allow_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_source(apol_policy_t *p, char *name) {
|
|
+ %rename(set_source) wrap_set_source;
|
|
+ void wrap_set_source(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_role_allow_query_set_source(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -2365,7 +2499,8 @@ typedef struct apol_role_allow_query {} apol_role_allow_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_target(apol_policy_t *p, char *name) {
|
|
+ %rename(set_target) wrap_set_target;
|
|
+ void wrap_set_target(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_role_allow_query_set_target(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -2374,10 +2509,12 @@ typedef struct apol_role_allow_query {} apol_role_allow_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_source_any(apol_policy_t *p, int is_any) {
|
|
+ %rename(set_source_any) wrap_set_source_any;
|
|
+ void wrap_set_source_any(apol_policy_t *p, int is_any) {
|
|
apol_role_allow_query_set_source_any(p, self, is_any);
|
|
};
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_role_allow_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
@@ -2387,7 +2524,7 @@ char *apol_role_allow_render(apol_policy_t * policy, qpol_role_allow_t * rule);
|
|
/* apol role transition rule query */
|
|
typedef struct apol_role_trans_query {} apol_role_trans_query_t;
|
|
%extend apol_role_trans_query_t {
|
|
- apol_role_trans_query_t() {
|
|
+ apol_role_trans_query() {
|
|
apol_role_trans_query_t *arq;
|
|
BEGIN_EXCEPTION
|
|
arq = apol_role_trans_query_create();
|
|
@@ -2398,7 +2535,7 @@ typedef struct apol_role_trans_query {} apol_role_trans_query_t;
|
|
fail:
|
|
return arq;
|
|
};
|
|
- ~apol_role_trans_query_t() {
|
|
+ ~apol_role_trans_query() {
|
|
apol_role_trans_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -2412,7 +2549,8 @@ typedef struct apol_role_trans_query {} apol_role_trans_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_source(apol_policy_t *p, char *name) {
|
|
+ %rename(set_source) wrap_set_source;
|
|
+ void wrap_set_source(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_role_trans_query_set_source(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -2421,7 +2559,8 @@ typedef struct apol_role_trans_query {} apol_role_trans_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_target(apol_policy_t *p, char *name, int indirect) {
|
|
+ %rename(set_target) wrap_set_target;
|
|
+ void wrap_set_target(apol_policy_t *p, char *name, int indirect) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_role_trans_query_set_target(p, self, name, indirect)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -2430,7 +2569,8 @@ typedef struct apol_role_trans_query {} apol_role_trans_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_default(apol_policy_t *p, char *name) {
|
|
+ %rename(set_default) wrap_set_default;
|
|
+ void wrap_set_default(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_role_trans_query_set_default(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -2439,10 +2579,12 @@ typedef struct apol_role_trans_query {} apol_role_trans_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_source_any(apol_policy_t *p, int is_any) {
|
|
+ %rename(set_source_any) wrap_set_source_any;
|
|
+ void wrap_set_source_any(apol_policy_t *p, int is_any) {
|
|
apol_role_trans_query_set_source_any(p, self, is_any);
|
|
};
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_role_trans_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
@@ -2452,7 +2594,7 @@ char *apol_role_trans_render(apol_policy_t * policy, qpol_role_trans_t * rule);
|
|
/* apol range transition rule query */
|
|
typedef struct apol_range_trans_query {} apol_range_trans_query_t;
|
|
%extend apol_range_trans_query_t {
|
|
- apol_range_trans_query_t() {
|
|
+ apol_range_trans_query() {
|
|
apol_range_trans_query_t *arq;
|
|
BEGIN_EXCEPTION
|
|
arq = apol_range_trans_query_create();
|
|
@@ -2463,7 +2605,7 @@ typedef struct apol_range_trans_query {} apol_range_trans_query_t;
|
|
fail:
|
|
return arq;
|
|
};
|
|
- ~apol_range_trans_query_t() {
|
|
+ ~apol_range_trans_query() {
|
|
apol_range_trans_query_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -2477,7 +2619,8 @@ typedef struct apol_range_trans_query {} apol_range_trans_query_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_source(apol_policy_t *p, char *name, int indirect) {
|
|
+ %rename(set_source) wrap_set_source;
|
|
+ void wrap_set_source(apol_policy_t *p, char *name, int indirect) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_range_trans_query_set_source(p, self, name, indirect)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -2486,7 +2629,8 @@ typedef struct apol_range_trans_query {} apol_range_trans_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_target(apol_policy_t *p, char *name, int indirect) {
|
|
+ %rename(set_target) wrap_set_target;
|
|
+ void wrap_set_target(apol_policy_t *p, char *name, int indirect) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_range_trans_query_set_target(p, self, name, indirect)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -2495,7 +2639,8 @@ typedef struct apol_range_trans_query {} apol_range_trans_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void append_class(apol_policy_t *p, char *name) {
|
|
+ %rename(append_class) wrap_append_class;
|
|
+ void wrap_append_class(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_range_trans_query_append_class(p, self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not append class to range transition query");
|
|
@@ -2504,7 +2649,8 @@ typedef struct apol_range_trans_query {} apol_range_trans_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_range(apol_policy_t *p, apol_mls_range_t *rng, int range_match) {
|
|
+ %rename(set_range) wrap_set_range;
|
|
+ void wrap_set_range(apol_policy_t *p, apol_mls_range_t *rng, int range_match) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_range_trans_query_set_range(p, self, rng, range_match)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -2513,16 +2659,336 @@ typedef struct apol_range_trans_query {} apol_range_trans_query_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_source_any(apol_policy_t *p, int is_any) {
|
|
+ %rename(set_source_any) wrap_set_source_any;
|
|
+ void wrap_set_source_any(apol_policy_t *p, int is_any) {
|
|
apol_range_trans_query_set_source_any(p, self, is_any);
|
|
};
|
|
- void set_regex(apol_policy_t *p, int regex) {
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
apol_range_trans_query_set_regex(p, self, regex);
|
|
};
|
|
};
|
|
%newobject apol_range_trans_render(apol_policy_t*, qpol_range_trans_t*);
|
|
char *apol_range_trans_render(apol_policy_t * policy, qpol_range_trans_t * rule);
|
|
|
|
+/* apol filename transition rule query */
|
|
+typedef struct apol_filename_trans_query {} apol_filename_trans_query_t;
|
|
+%extend apol_filename_trans_query_t {
|
|
+ apol_filename_trans_query() {
|
|
+ apol_filename_trans_query_t *arq;
|
|
+ BEGIN_EXCEPTION
|
|
+ arq = apol_filename_trans_query_create();
|
|
+ if (!arq) {
|
|
+ SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return arq;
|
|
+ };
|
|
+ ~apol_filename_trans_query() {
|
|
+ apol_filename_trans_query_destroy(&self);
|
|
+ };
|
|
+ %newobject run(apol_policy_t*);
|
|
+ apol_vector_t *run(apol_policy_t *p) {
|
|
+ apol_vector_t *v;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (apol_filename_trans_get_by_query(p, self, &v)) {
|
|
+ SWIG_exception(SWIG_RuntimeError, "Could not run filename transition query");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return v;
|
|
+ };
|
|
+ %rename(set_source) wrap_set_source;
|
|
+ void wrap_set_source(apol_policy_t *p, char *name, int indirect) {
|
|
+ BEGIN_EXCEPTION
|
|
+ if (apol_filename_trans_query_set_source(p, self, name, indirect)) {
|
|
+ SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return;
|
|
+ };
|
|
+ %rename(set_target) wrap_set_target;
|
|
+ void wrap_set_target(apol_policy_t *p, char *name, int indirect) {
|
|
+ BEGIN_EXCEPTION
|
|
+ if (apol_filename_trans_query_set_target(p, self, name, indirect)) {
|
|
+ SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return;
|
|
+ };
|
|
+ %rename(append_class) wrap_append_class;
|
|
+ void wrap_append_class(apol_policy_t *p, char *name) {
|
|
+ BEGIN_EXCEPTION
|
|
+ if (apol_filename_trans_query_append_class(p, self, name)) {
|
|
+ SWIG_exception(SWIG_RuntimeError, "Could not append class to filename transition query");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return;
|
|
+ };
|
|
+
|
|
+ %rename(set_default) wrap_set_default;
|
|
+ void wrap_set_default(apol_policy_t *p, char *name) {
|
|
+ BEGIN_EXCEPTION
|
|
+ if (apol_filename_trans_query_set_default(p, self, name)) {
|
|
+ SWIG_exception(SWIG_RuntimeError, "Could not set default for filename transition query");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return;
|
|
+ };
|
|
+
|
|
+ void set_filename(apol_policy_t *p, char *filename) {
|
|
+ BEGIN_EXCEPTION
|
|
+ if (apol_filename_trans_query_set_name(p, self, filename)) {
|
|
+ SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return;
|
|
+ };
|
|
+
|
|
+ %rename(set_source_any) wrap_set_source_any;
|
|
+ void wrap_set_source_any(apol_policy_t *p, int is_any) {
|
|
+ apol_filename_trans_query_set_source_any(p, self, is_any);
|
|
+ };
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
+ apol_filename_trans_query_set_regex(p, self, regex);
|
|
+ };
|
|
+};
|
|
+%newobject apol_filename_trans_render(apol_policy_t*, qpol_filename_trans_t*);
|
|
+char *apol_filename_trans_render(apol_policy_t * policy, qpol_filename_trans_t * rule);
|
|
+
|
|
+/* apol permissive query */
|
|
+typedef struct apol_permissive_query {} apol_permissive_query_t;
|
|
+%extend apol_permissive_query_t {
|
|
+ apol_permissive_query() {
|
|
+ apol_permissive_query_t *arq;
|
|
+ BEGIN_EXCEPTION
|
|
+ arq = apol_permissive_query_create();
|
|
+ if (!arq) {
|
|
+ SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return arq;
|
|
+ };
|
|
+ ~apol_permissive_query() {
|
|
+ apol_permissive_query_destroy(&self);
|
|
+ };
|
|
+ %newobject run(apol_policy_t*);
|
|
+ apol_vector_t *run(apol_policy_t *p) {
|
|
+ apol_vector_t *v;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (apol_permissive_get_by_query(p, self, &v)) {
|
|
+ SWIG_exception(SWIG_RuntimeError, "Could not run permissive query");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return v;
|
|
+ };
|
|
+
|
|
+ %rename(set_name) wrap_set_name;
|
|
+ void wrap_set_name(apol_policy_t *p, char *name) {
|
|
+ BEGIN_EXCEPTION
|
|
+ if (apol_permissive_query_set_name(p, self, name)) {
|
|
+ SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return;
|
|
+ };
|
|
+
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
+ apol_permissive_query_set_regex(p, self, regex);
|
|
+ };
|
|
+};
|
|
+
|
|
+/* apol polcap query */
|
|
+typedef struct apol_polcap_query {} apol_polcap_query_t;
|
|
+%extend apol_polcap_query_t {
|
|
+ apol_polcap_query() {
|
|
+ apol_polcap_query_t *arq;
|
|
+ BEGIN_EXCEPTION
|
|
+ arq = apol_polcap_query_create();
|
|
+ if (!arq) {
|
|
+ SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return arq;
|
|
+ };
|
|
+ ~apol_polcap_query() {
|
|
+ apol_polcap_query_destroy(&self);
|
|
+ };
|
|
+ %newobject run(apol_policy_t*);
|
|
+ apol_vector_t *run(apol_policy_t *p) {
|
|
+ apol_vector_t *v;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (apol_polcap_get_by_query(p, self, &v)) {
|
|
+ SWIG_exception(SWIG_RuntimeError, "Could not run polcap query");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return v;
|
|
+ };
|
|
+
|
|
+ %rename(set_name) wrap_set_name;
|
|
+ void wrap_set_name(apol_policy_t *p, char *name) {
|
|
+ BEGIN_EXCEPTION
|
|
+ if (apol_polcap_query_set_name(p, self, name)) {
|
|
+ SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return;
|
|
+ };
|
|
+
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
+ apol_polcap_query_set_regex(p, self, regex);
|
|
+ };
|
|
+};
|
|
+
|
|
+/* apol typebounds query */
|
|
+typedef struct apol_typebounds_query {} apol_typebounds_query_t;
|
|
+%extend apol_typebounds_query_t {
|
|
+ apol_typebounds_query() {
|
|
+ apol_typebounds_query_t *arq;
|
|
+ BEGIN_EXCEPTION
|
|
+ arq = apol_typebounds_query_create();
|
|
+ if (!arq) {
|
|
+ SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return arq;
|
|
+ };
|
|
+ ~apol_typebounds_query() {
|
|
+ apol_typebounds_query_destroy(&self);
|
|
+ };
|
|
+ %newobject run(apol_policy_t*);
|
|
+ apol_vector_t *run(apol_policy_t *p) {
|
|
+ apol_vector_t *v;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (apol_typebounds_get_by_query(p, self, &v)) {
|
|
+ SWIG_exception(SWIG_RuntimeError, "Could not run typebounds query");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return v;
|
|
+ };
|
|
+ %rename(set_name) wrap_set_name;
|
|
+ void wrap_set_name(apol_policy_t *p, char *name) {
|
|
+ BEGIN_EXCEPTION
|
|
+ if (apol_typebounds_query_set_name(p, self, name)) {
|
|
+ SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return;
|
|
+ };
|
|
+ %rename(set_regex) wrap_set_regex;
|
|
+ void wrap_set_regex(apol_policy_t *p, int regex) {
|
|
+ apol_typebounds_query_set_regex(p, self, regex);
|
|
+ };
|
|
+};
|
|
+
|
|
+/* apol rolebounds query */
|
|
+typedef struct apol_rolebounds_query {} apol_rolebounds_query_t;
|
|
+%extend apol_rolebounds_query_t {
|
|
+ apol_rolebounds_query() {
|
|
+ apol_rolebounds_query_t *arq;
|
|
+ BEGIN_EXCEPTION
|
|
+ arq = apol_rolebounds_query_create();
|
|
+ if (!arq) {
|
|
+ SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return arq;
|
|
+ };
|
|
+ ~apol_rolebounds_query() {
|
|
+ apol_rolebounds_query_destroy(&self);
|
|
+ };
|
|
+ %newobject run(apol_policy_t*);
|
|
+ apol_vector_t *run(apol_policy_t *p) {
|
|
+ apol_vector_t *v;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (apol_rolebounds_get_by_query(p, self, &v)) {
|
|
+ SWIG_exception(SWIG_RuntimeError, "Could not run rolebounds query");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return v;
|
|
+ };
|
|
+};
|
|
+
|
|
+/* apol userbounds query */
|
|
+typedef struct apol_userbounds_query {} apol_userbounds_query_t;
|
|
+%extend apol_userbounds_query_t {
|
|
+ apol_userbounds_query() {
|
|
+ apol_userbounds_query_t *arq;
|
|
+ BEGIN_EXCEPTION
|
|
+ arq = apol_userbounds_query_create();
|
|
+ if (!arq) {
|
|
+ SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return arq;
|
|
+ };
|
|
+ ~apol_userbounds_query() {
|
|
+ apol_userbounds_query_destroy(&self);
|
|
+ };
|
|
+ %newobject run(apol_policy_t*);
|
|
+ apol_vector_t *run(apol_policy_t *p) {
|
|
+ apol_vector_t *v;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (apol_userbounds_get_by_query(p, self, &v)) {
|
|
+ SWIG_exception(SWIG_RuntimeError, "Could not run userbounds query");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return v;
|
|
+ };
|
|
+};
|
|
+
|
|
+/* apol default_object query */
|
|
+typedef struct apol_default_object_query {} apol_default_object_query_t;
|
|
+%extend apol_default_object_query_t {
|
|
+ apol_default_object_query() {
|
|
+ apol_default_object_query_t *arq;
|
|
+ BEGIN_EXCEPTION
|
|
+ arq = apol_default_object_query_create();
|
|
+ if (!arq) {
|
|
+ SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return arq;
|
|
+ };
|
|
+ ~apol_default_object_query() {
|
|
+ apol_default_object_query_destroy(&self);
|
|
+ };
|
|
+ %newobject run(apol_policy_t*);
|
|
+ apol_vector_t *run(apol_policy_t *p) {
|
|
+ apol_vector_t *v;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (apol_default_object_get_by_query(p, self, &v)) {
|
|
+ SWIG_exception(SWIG_RuntimeError, "Could not run default object query");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return v;
|
|
+ };
|
|
+};
|
|
+
|
|
/* domain transition analysis */
|
|
#define APOL_DOMAIN_TRANS_DIRECTION_FORWARD 0x01
|
|
#define APOL_DOMAIN_TRANS_DIRECTION_REVERSE 0x02
|
|
@@ -2531,7 +2997,7 @@ char *apol_range_trans_render(apol_policy_t * policy, qpol_range_trans_t * rule)
|
|
#define APOL_DOMAIN_TRANS_SEARCH_BOTH (APOL_DOMAIN_TRANS_SEARCH_VALID|APOL_DOMAIN_TRANS_SEARCH_INVALID)
|
|
typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t;
|
|
%extend apol_domain_trans_analysis_t {
|
|
- apol_domain_trans_analysis_t() {
|
|
+ apol_domain_trans_analysis() {
|
|
apol_domain_trans_analysis_t *dta;
|
|
BEGIN_EXCEPTION
|
|
dta = apol_domain_trans_analysis_create();
|
|
@@ -2542,10 +3008,11 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t;
|
|
fail:
|
|
return dta;
|
|
};
|
|
- ~apol_domain_trans_analysis_t() {
|
|
+ ~apol_domain_trans_analysis() {
|
|
apol_domain_trans_analysis_destroy(&self);
|
|
};
|
|
- void set_direction(apol_policy_t *p, int direction) {
|
|
+ %rename(set_direction) wrap_set_direction;
|
|
+ void wrap_set_direction(apol_policy_t *p, int direction) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_domain_trans_analysis_set_direction(p, self, (unsigned char)direction)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set direction for domain transition analysis");
|
|
@@ -2554,7 +3021,8 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_valid(apol_policy_t *p, int valid) {
|
|
+ %rename(set_valid) wrap_set_valid;
|
|
+ void wrap_set_valid(apol_policy_t *p, int valid) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_domain_trans_analysis_set_valid(p, self, (unsigned char)valid)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set valid flag for domain transition analysis");
|
|
@@ -2563,7 +3031,8 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_start_type(apol_policy_t *p, char *name) {
|
|
+ %rename(set_start_type) wrap_set_start_type;
|
|
+ void wrap_set_start_type(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_domain_trans_analysis_set_start_type(p, self, name)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -2572,7 +3041,8 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_result_regex(apol_policy_t *p, char *regex) {
|
|
+ %rename(set_result_regex) wrap_set_result_regex;
|
|
+ void wrap_set_result_regex(apol_policy_t *p, char *regex) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_domain_trans_analysis_set_result_regex(p, self, regex)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of memory");
|
|
@@ -2581,7 +3051,8 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void append_access_type(apol_policy_t *p, char *name) {
|
|
+ %rename(append_access_type) wrap_append_access_type;
|
|
+ void wrap_append_access_type(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_domain_trans_analysis_append_access_type(p, self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not append access type for domain transition analysis");
|
|
@@ -2590,7 +3061,8 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void append_class(apol_policy_t *p, char *class_name) {
|
|
+ %rename(append_class) wrap_append_class;
|
|
+ void wrap_append_class(apol_policy_t *p, char *class_name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_domain_trans_analysis_append_class(p, self, class_name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not append access class for domain transition analysis");
|
|
@@ -2599,7 +3071,8 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void append_perm(apol_policy_t *p, char *perm_name) {
|
|
+ %rename(append_perm) wrap_append_perm;
|
|
+ void wrap_append_perm(apol_policy_t *p, char *perm_name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_domain_trans_analysis_append_perm(p, self, perm_name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not append access permission for domain transition analysis");
|
|
@@ -2622,7 +3095,7 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t;
|
|
};
|
|
typedef struct apol_domain_trans_result {} apol_domain_trans_result_t;
|
|
%extend apol_domain_trans_result_t {
|
|
- apol_domain_trans_result_t(apol_domain_trans_result_t *in) {
|
|
+ apol_domain_trans_result(apol_domain_trans_result_t *in) {
|
|
apol_domain_trans_result_t *dtr;
|
|
BEGIN_EXCEPTION
|
|
dtr = apol_domain_trans_result_create_from_domain_trans_result(in);
|
|
@@ -2633,37 +3106,46 @@ typedef struct apol_domain_trans_result {} apol_domain_trans_result_t;
|
|
fail:
|
|
return dtr;
|
|
};
|
|
- ~apol_domain_trans_result_t() {
|
|
+ ~apol_domain_trans_result() {
|
|
apol_domain_trans_result_destroy(&self);
|
|
};
|
|
- const qpol_type_t *get_start_type() {
|
|
+ %rename(get_start_type) wrap_get_start_type;
|
|
+ const qpol_type_t *wrap_get_start_type() {
|
|
return apol_domain_trans_result_get_start_type(self);
|
|
};
|
|
- const qpol_type_t *get_entrypoint_type() {
|
|
+ %rename(get_entrypoint_type) wrap_get_entrypoint_type;
|
|
+ const qpol_type_t *wrap_get_entrypoint_type() {
|
|
return apol_domain_trans_result_get_entrypoint_type(self);
|
|
};
|
|
- const qpol_type_t *get_end_type() {
|
|
+ %rename(get_end_type) wrap_get_end_type;
|
|
+ const qpol_type_t *wrap_get_end_type() {
|
|
return apol_domain_trans_result_get_end_type(self);
|
|
};
|
|
int get_is_valid() {
|
|
return apol_domain_trans_result_is_trans_valid(self);
|
|
};
|
|
- const apol_vector_t *get_proc_trans_rules() {
|
|
+ %rename(get_proc_trans_rules) wrap_get_proc_trans_rules;
|
|
+ const apol_vector_t *wrap_get_proc_trans_rules() {
|
|
return apol_domain_trans_result_get_proc_trans_rules(self);
|
|
};
|
|
- const apol_vector_t *get_entrypoint_rules() {
|
|
+ %rename(get_entrypoint_rules) wrap_get_entrypoint_rules;
|
|
+ const apol_vector_t *wrap_get_entrypoint_rules() {
|
|
return apol_domain_trans_result_get_entrypoint_rules(self);
|
|
};
|
|
- const apol_vector_t *get_exec_rules() {
|
|
+ %rename(get_exec_rules) wrap_get_exec_rules;
|
|
+ const apol_vector_t *wrap_get_exec_rules() {
|
|
return apol_domain_trans_result_get_exec_rules(self);
|
|
};
|
|
- const apol_vector_t *get_setexec_rules() {
|
|
+ %rename(get_setexec_rules) wrap_get_setexec_rules;
|
|
+ const apol_vector_t *wrap_get_setexec_rules() {
|
|
return apol_domain_trans_result_get_setexec_rules(self);
|
|
};
|
|
- const apol_vector_t *get_type_trans_rules() {
|
|
+ %rename(get_type_trans_rules) wrap_get_type_trans_rules;
|
|
+ const apol_vector_t *wrap_get_type_trans_rules() {
|
|
return apol_domain_trans_result_get_type_trans_rules(self);
|
|
};
|
|
- const apol_vector_t *get_access_rules() {
|
|
+ %rename(get_access_rules) wrap_get_access_rules;
|
|
+ const apol_vector_t *wrap_get_access_rules() {
|
|
return apol_domain_trans_result_get_access_rules(self);
|
|
};
|
|
};
|
|
@@ -2705,14 +3187,14 @@ int apol_domain_trans_table_verify_trans(apol_policy_t * policy, qpol_type_t * s
|
|
%}
|
|
typedef struct apol_infoflow {} apol_infoflow_t;
|
|
%extend apol_infoflow_t {
|
|
- apol_infoflow_t() {
|
|
+ apol_infoflow() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_infoflow_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~apol_infoflow_t() {
|
|
+ ~apol_infoflow() {
|
|
apol_infoflow_destroy(&self);
|
|
};
|
|
%newobject extract_graph();
|
|
@@ -2730,7 +3212,7 @@ typedef struct apol_infoflow {} apol_infoflow_t;
|
|
};
|
|
typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t;
|
|
%extend apol_infoflow_analysis_t {
|
|
- apol_infoflow_analysis_t() {
|
|
+ apol_infoflow_analysis() {
|
|
apol_infoflow_analysis_t *aia;
|
|
BEGIN_EXCEPTION
|
|
aia = apol_infoflow_analysis_create();
|
|
@@ -2741,7 +3223,7 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t;
|
|
fail:
|
|
return aia;
|
|
};
|
|
- ~apol_infoflow_analysis_t() {
|
|
+ ~apol_infoflow_analysis() {
|
|
apol_infoflow_analysis_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -2763,7 +3245,8 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t;
|
|
apol_infoflow_destroy(&ai);
|
|
return NULL;
|
|
};
|
|
- void set_mode(apol_policy_t *p, int mode) {
|
|
+ %rename(set_mode) wrap_set_mode;
|
|
+ void wrap_set_mode(apol_policy_t *p, int mode) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_infoflow_analysis_set_mode(p, self, (unsigned int)mode)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set mode for information flow analysis");
|
|
@@ -2772,7 +3255,8 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_dir(apol_policy_t *p, int direction) {
|
|
+ %rename(set_dir) wrap_set_dir;
|
|
+ void wrap_set_dir(apol_policy_t *p, int direction) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_infoflow_analysis_set_dir(p, self, (unsigned int)direction)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set direction for information flow analysis");
|
|
@@ -2781,7 +3265,8 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_type(apol_policy_t *p, char *name) {
|
|
+ %rename(set_type) wrap_set_type;
|
|
+ void wrap_set_type(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_infoflow_analysis_set_type(p, self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set type for information flow analysis");
|
|
@@ -2790,7 +3275,8 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void append_intermediate(apol_policy_t *p, char *name) {
|
|
+ %rename(append_intermediate) wrap_append_intermediate;
|
|
+ void wrap_append_intermediate(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_infoflow_analysis_append_intermediate(p, self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not append intermediate type for information flow analysis");
|
|
@@ -2799,7 +3285,8 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void append_class_perm(apol_policy_t *p, char *class_name, char *perm_name) {
|
|
+ %rename(append_class_perm) wrap_append_class_perm;
|
|
+ void wrap_append_class_perm(apol_policy_t *p, char *class_name, char *perm_name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_infoflow_analysis_append_class_perm(p, self, class_name, perm_name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not append class and permission for information flow analysis");
|
|
@@ -2808,10 +3295,12 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_min_weight(apol_policy_t *p, int weight) {
|
|
+ %rename(set_min_weight) wrap_set_min_weight;
|
|
+ void wrap_set_min_weight(apol_policy_t *p, int weight) {
|
|
apol_infoflow_analysis_set_min_weight(p, self, weight);
|
|
};
|
|
- void set_result_regex(apol_policy_t *p, char *regex) {
|
|
+ %rename(set_result_regex) wrap_set_result_regex;
|
|
+ void wrap_set_result_regex(apol_policy_t *p, char *regex) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_infoflow_analysis_set_result_regex(p, self, regex)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set result regular expression for information flow analysis");
|
|
@@ -2823,14 +3312,14 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t;
|
|
};
|
|
typedef struct apol_infoflow_graph {} apol_infoflow_graph_t;
|
|
%extend apol_infoflow_graph_t {
|
|
- apol_infoflow_graph_t() {
|
|
+ apol_infoflow_graph() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_infoflow_graph_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~apol_infoflow_graph_t() {
|
|
+ ~apol_infoflow_graph() {
|
|
apol_infoflow_graph_destroy(&self);
|
|
};
|
|
%newobject do_more(apol_policy_t*, char*);
|
|
@@ -2867,30 +3356,35 @@ typedef struct apol_infoflow_graph {} apol_infoflow_graph_t;
|
|
};
|
|
typedef struct apol_infoflow_result {} apol_infoflow_result_t;
|
|
%extend apol_infoflow_result_t {
|
|
- apol_infoflow_result_t() {
|
|
+ apol_infoflow_result() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_infoflow_result_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~apol_infoflow_result_t() {
|
|
+ ~apol_infoflow_result() {
|
|
/* no op - vector will destroy */
|
|
return;
|
|
};
|
|
- int get_dir() {
|
|
+ %rename(get_dir) wrap_get_dir;
|
|
+ int wrap_get_dir() {
|
|
return (int)apol_infoflow_result_get_dir(self);
|
|
};
|
|
- const qpol_type_t *get_start_type() {
|
|
+ %rename(get_start_type) wrap_get_start_type;
|
|
+ const qpol_type_t *wrap_get_start_type() {
|
|
return apol_infoflow_result_get_start_type(self);
|
|
};
|
|
- const qpol_type_t *get_end_type() {
|
|
+ %rename(get_end_type) wrap_get_end_type;
|
|
+ const qpol_type_t *wrap_get_end_type() {
|
|
return apol_infoflow_result_get_end_type(self);
|
|
};
|
|
- int get_length() {
|
|
+ %rename(get_length) wrap_get_length;
|
|
+ int wrap_get_length() {
|
|
return (int) apol_infoflow_result_get_length(self);
|
|
}
|
|
- const apol_vector_t *get_steps() {
|
|
+ %rename(get_steps) wrap_get_steps;
|
|
+ const apol_vector_t *wrap_get_steps() {
|
|
return apol_infoflow_result_get_steps(self);
|
|
};
|
|
};
|
|
@@ -2901,27 +3395,31 @@ typedef struct apol_infoflow_result {} apol_infoflow_result_t;
|
|
%}
|
|
typedef struct apol_infoflow_step {} apol_infoflow_step_t;
|
|
%extend apol_infoflow_step_t {
|
|
- apol_infoflow_step_t() {
|
|
+ apol_infoflow_step() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_infoflow_step_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~apol_infoflow_step_t() {
|
|
+ ~apol_infoflow_step() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- const qpol_type_t *get_start_type() {
|
|
+ %rename(get_start_type) wrap_get_start_type;
|
|
+ const qpol_type_t *wrap_get_start_type() {
|
|
return apol_infoflow_step_get_start_type(self);
|
|
};
|
|
- const qpol_type_t *get_end_type() {
|
|
+ %rename(get_end_type) wrap_get_end_type;
|
|
+ const qpol_type_t *wrap_get_end_type() {
|
|
return apol_infoflow_step_get_end_type(self);
|
|
};
|
|
- int get_weight() {
|
|
+ %rename(get_weight) wrap_get_weight;
|
|
+ int wrap_get_weight() {
|
|
return apol_infoflow_step_get_weight(self);
|
|
};
|
|
- const apol_vector_t *get_rules() {
|
|
+ %rename(get_rules) wrap_get_rules;
|
|
+ const apol_vector_t *wrap_get_rules() {
|
|
return apol_infoflow_step_get_rules(self);
|
|
};
|
|
};
|
|
@@ -2938,7 +3436,7 @@ typedef struct apol_infoflow_step {} apol_infoflow_step_t;
|
|
#define APOL_RELABEL_DIR_SUBJECT 0x04
|
|
typedef struct apol_relabel_analysis {} apol_relabel_analysis_t;
|
|
%extend apol_relabel_analysis_t {
|
|
- apol_relabel_analysis_t() {
|
|
+ apol_relabel_analysis() {
|
|
apol_relabel_analysis_t *ara;
|
|
BEGIN_EXCEPTION
|
|
ara = apol_relabel_analysis_create();
|
|
@@ -2949,7 +3447,7 @@ typedef struct apol_relabel_analysis {} apol_relabel_analysis_t;
|
|
fail:
|
|
return ara;
|
|
};
|
|
- ~apol_relabel_analysis_t() {
|
|
+ ~apol_relabel_analysis() {
|
|
apol_relabel_analysis_destroy(&self);
|
|
};
|
|
%newobject run(apol_policy_t*);
|
|
@@ -2963,7 +3461,8 @@ typedef struct apol_relabel_analysis {} apol_relabel_analysis_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void set_dir(apol_policy_t *p, int direction) {
|
|
+ %rename(set_dir) wrap_set_dir;
|
|
+ void wrap_set_dir(apol_policy_t *p, int direction) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_relabel_analysis_set_dir(p, self, (unsigned int)direction)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set direction for relabel analysis");
|
|
@@ -2972,7 +3471,8 @@ typedef struct apol_relabel_analysis {} apol_relabel_analysis_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_type(apol_policy_t *p, char *name) {
|
|
+ %rename(set_type) wrap_set_type;
|
|
+ void wrap_set_type(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_relabel_analysis_set_type(p, self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set type for relabel analysis");
|
|
@@ -2981,7 +3481,8 @@ typedef struct apol_relabel_analysis {} apol_relabel_analysis_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void append_class(apol_policy_t *p, char *name) {
|
|
+ %rename(append_class) wrap_append_class;
|
|
+ void wrap_append_class(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_relabel_analysis_append_class(p, self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not append class to relabel analysis");
|
|
@@ -2990,7 +3491,8 @@ typedef struct apol_relabel_analysis {} apol_relabel_analysis_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void append_subject(apol_policy_t *p, char *name) {
|
|
+ %rename(append_subject) wrap_append_subject;
|
|
+ void wrap_append_subject(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_relabel_analysis_append_subject(p, self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not append subject to relabel analysis");
|
|
@@ -2999,7 +3501,8 @@ typedef struct apol_relabel_analysis {} apol_relabel_analysis_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_result_regex(apol_policy_t *p, char *regex) {
|
|
+ %rename(set_result_regex) wrap_set_result_regex;
|
|
+ void wrap_set_result_regex(apol_policy_t *p, char *regex) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_relabel_analysis_set_result_regex(p, self, regex)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set result regular expression for relabel analysis");
|
|
@@ -3011,27 +3514,31 @@ typedef struct apol_relabel_analysis {} apol_relabel_analysis_t;
|
|
};
|
|
typedef struct apol_relabel_result {} apol_relabel_result_t;
|
|
%extend apol_relabel_result_t {
|
|
- apol_relabel_result_t() {
|
|
+ apol_relabel_result() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_relabel_result_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~apol_relabel_result_t() {
|
|
+ ~apol_relabel_result() {
|
|
/* no op - vector will destroy */
|
|
return;
|
|
};
|
|
- const apol_vector_t *get_to() {
|
|
+ %rename(get_to) wrap_get_to;
|
|
+ const apol_vector_t *wrap_get_to() {
|
|
return apol_relabel_result_get_to(self);
|
|
};
|
|
- const apol_vector_t *get_from() {
|
|
+ %rename(get_from) wrap_get_from;
|
|
+ const apol_vector_t *wrap_get_from() {
|
|
return apol_relabel_result_get_from(self);
|
|
};
|
|
- const apol_vector_t *get_both() {
|
|
+ %rename(get_both) wrap_get_both;
|
|
+ const apol_vector_t *wrap_get_both() {
|
|
return apol_relabel_result_get_both(self);
|
|
};
|
|
- const qpol_type_t *get_result_type() {
|
|
+ %rename(get_result_type) wrap_get_result_type;
|
|
+ const qpol_type_t *wrap_get_result_type() {
|
|
return apol_relabel_result_get_result_type(self);
|
|
};
|
|
};
|
|
@@ -3042,24 +3549,27 @@ typedef struct apol_relabel_result {} apol_relabel_result_t;
|
|
%}
|
|
typedef struct apol_relabel_result_pair {} apol_relabel_result_pair_t;
|
|
%extend apol_relabel_result_pair_t {
|
|
- apol_relabel_result_pair_t() {
|
|
+ apol_relabel_result_pair() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_relabel_result_pair_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~apol_relabel_result_pair_t() {
|
|
+ ~apol_relabel_result_pair() {
|
|
/* no op - owned and free()'d by apol_relabel_result_t */
|
|
return;
|
|
};
|
|
- const qpol_avrule_t *get_ruleA() {
|
|
+ %rename(get_ruleA) wrap_get_ruleA;
|
|
+ const qpol_avrule_t *wrap_get_ruleA() {
|
|
return apol_relabel_result_pair_get_ruleA(self);
|
|
};
|
|
- const qpol_avrule_t *get_ruleB() {
|
|
+ %rename(get_ruleB) wrap_get_ruleB;
|
|
+ const qpol_avrule_t *wrap_get_ruleB() {
|
|
return apol_relabel_result_pair_get_ruleB(self);
|
|
};
|
|
- const qpol_type_t *get_intermediate_type() {
|
|
+ %rename(get_intermediate_type) wrap_get_intermediate_type;
|
|
+ const qpol_type_t *wrap_get_intermediate_type() {
|
|
return apol_relabel_result_pair_get_intermediate_type(self);
|
|
};
|
|
};
|
|
@@ -3084,7 +3594,7 @@ typedef struct apol_relabel_result_pair {} apol_relabel_result_pair_t;
|
|
#define APOL_TYPES_RELATION_TRANS_FLOW_BA 0x8000
|
|
typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t;
|
|
%extend apol_types_relation_analysis_t {
|
|
- apol_types_relation_analysis_t() {
|
|
+ apol_types_relation_analysis() {
|
|
apol_types_relation_analysis_t *atr;
|
|
BEGIN_EXCEPTION
|
|
atr = apol_types_relation_analysis_create();
|
|
@@ -3095,7 +3605,7 @@ typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t;
|
|
fail:
|
|
return atr;
|
|
};
|
|
- ~apol_types_relation_analysis_t() {
|
|
+ ~apol_types_relation_analysis() {
|
|
apol_types_relation_analysis_destroy(&self);
|
|
}
|
|
%newobject run(apol_policy_t*);
|
|
@@ -3109,7 +3619,8 @@ typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t;
|
|
fail:
|
|
return res;
|
|
};
|
|
- void set_first_type(apol_policy_t *p, char *name) {
|
|
+ %rename(set_first_type) wrap_set_first_type;
|
|
+ void wrap_set_first_type(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_types_relation_analysis_set_first_type(p, self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set first type for types relation analysis");
|
|
@@ -3118,7 +3629,8 @@ typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_other_type(apol_policy_t *p, char *name) {
|
|
+ %rename(set_other_type) wrap_set_other_type;
|
|
+ void wrap_set_other_type(apol_policy_t *p, char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_types_relation_analysis_set_other_type(p, self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set other type for types relation analysis");
|
|
@@ -3127,7 +3639,8 @@ typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_analyses(apol_policy_t *p, int analyses) {
|
|
+ %rename(set_analyses) wrap_set_analyses;
|
|
+ void wrap_set_analyses(apol_policy_t *p, int analyses) {
|
|
BEGIN_EXCEPTION
|
|
if (apol_types_relation_analysis_set_analyses(p, self, (unsigned int)analyses)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set analyses to run for types relation analysis");
|
|
@@ -3139,76 +3652,92 @@ typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t;
|
|
};
|
|
typedef struct apol_types_relation_result {} apol_types_relation_result_t;
|
|
%extend apol_types_relation_result_t {
|
|
- apol_types_relation_result_t() {
|
|
+ apol_types_relation_result() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_types_relation_result_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~apol_types_relation_result_t() {
|
|
+ ~apol_types_relation_result() {
|
|
apol_types_relation_result_destroy(&self);
|
|
};
|
|
- const apol_vector_t *get_attributes() {
|
|
+ %rename(get_attributes) wrap_get_attributes;
|
|
+ const apol_vector_t *wrap_get_attributes() {
|
|
return apol_types_relation_result_get_attributes(self);
|
|
};
|
|
- const apol_vector_t *get_roles() {
|
|
+ %rename(get_roles) wrap_get_roles;
|
|
+ const apol_vector_t *wrap_get_roles() {
|
|
return apol_types_relation_result_get_roles(self);
|
|
};
|
|
- const apol_vector_t *get_users() {
|
|
+ %rename(get_users) wrap_get_users;
|
|
+ const apol_vector_t *wrap_get_users() {
|
|
return apol_types_relation_result_get_users(self);
|
|
};
|
|
- const apol_vector_t *get_similar_first() {
|
|
+ %rename(get_similar_first) wrap_get_similar_first;
|
|
+ const apol_vector_t *wrap_get_similar_first() {
|
|
return apol_types_relation_result_get_similar_first(self);
|
|
};
|
|
- const apol_vector_t *get_similar_other() {
|
|
+ %rename(get_similar_other) wrap_get_similar_other;
|
|
+ const apol_vector_t *wrap_get_similar_other() {
|
|
return apol_types_relation_result_get_similar_other(self);
|
|
};
|
|
- const apol_vector_t *get_dissimilar_first() {
|
|
+ %rename(get_dissimilar_first) wrap_get_dissimilar_first;
|
|
+ const apol_vector_t *wrap_get_dissimilar_first() {
|
|
return apol_types_relation_result_get_dissimilar_first(self);
|
|
};
|
|
- const apol_vector_t *get_dissimilar_other() {
|
|
+ %rename(get_dissimilar_other) wrap_get_dissimilar_other;
|
|
+ const apol_vector_t *wrap_get_dissimilar_other() {
|
|
return apol_types_relation_result_get_dissimilar_other(self);
|
|
};
|
|
- const apol_vector_t *get_allowrules() {
|
|
+ %rename(get_allowrules) wrap_get_allowrules;
|
|
+ const apol_vector_t *wrap_get_allowrules() {
|
|
return apol_types_relation_result_get_allowrules(self);
|
|
};
|
|
- const apol_vector_t *get_typerules() {
|
|
+ %rename(get_typerules) wrap_get_typerules;
|
|
+ const apol_vector_t *wrap_get_typerules() {
|
|
return apol_types_relation_result_get_typerules(self);
|
|
};
|
|
- const apol_vector_t *get_directflows() {
|
|
+ %rename(get_directflows) wrap_get_directflows;
|
|
+ const apol_vector_t *wrap_get_directflows() {
|
|
return apol_types_relation_result_get_directflows(self);
|
|
};
|
|
- const apol_vector_t *get_transflowsAB() {
|
|
+ %rename(get_transflowsAB) wrap_get_transflowsAB;
|
|
+ const apol_vector_t *wrap_get_transflowsAB() {
|
|
return apol_types_relation_result_get_transflowsAB(self);
|
|
};
|
|
- const apol_vector_t *get_transflowsBA() {
|
|
+ %rename(get_transflowsBA) wrap_get_transflowsBA;
|
|
+ const apol_vector_t *wrap_get_transflowsBA() {
|
|
return apol_types_relation_result_get_transflowsBA(self);
|
|
};
|
|
- const apol_vector_t*get_domainsAB() {
|
|
+ %rename(get_domainsAB) wrap_get_domainsAB;
|
|
+ const apol_vector_t*wrap_get_domainsAB() {
|
|
return apol_types_relation_result_get_domainsAB(self);
|
|
};
|
|
- const apol_vector_t*get_domainsBA() {
|
|
+ %rename(get_domainsBA) wrap_get_domainsBA;
|
|
+ const apol_vector_t*wrap_get_domainsBA() {
|
|
return apol_types_relation_result_get_domainsBA(self);
|
|
};
|
|
};
|
|
typedef struct apol_types_relation_access {} apol_types_relation_access_t;
|
|
%extend apol_types_relation_access_t {
|
|
- apol_types_relation_access_t() {
|
|
+ apol_types_relation_access() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_types_relation_access_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~apol_types_relation_access_t() {
|
|
+ ~apol_types_relation_access() {
|
|
/* no op - vector will destroy */
|
|
return;
|
|
};
|
|
- const qpol_type_t *get_type() {
|
|
+ %rename(get_type) wrap_get_type;
|
|
+ const qpol_type_t *wrap_get_type() {
|
|
return apol_types_relation_access_get_type(self);
|
|
};
|
|
- const apol_vector_t *get_rules() {
|
|
+ %rename(get_rules) wrap_get_rules;
|
|
+ const apol_vector_t *wrap_get_rules() {
|
|
return apol_types_relation_access_get_rules(self);
|
|
};
|
|
};
|
|
diff --git a/libpoldiff/swig/poldiff.i b/libpoldiff/swig/poldiff.i
|
|
index 29767a8..addbb21 100644
|
|
--- a/libpoldiff/swig/poldiff.i
|
|
+++ b/libpoldiff/swig/poldiff.i
|
|
@@ -273,7 +273,7 @@ typedef enum poldiff_form
|
|
%}
|
|
typedef struct poldiff_stats {} poldiff_stats_t;
|
|
%extend poldiff_stats_t {
|
|
- poldiff_stats_t() {
|
|
+ poldiff_stats() {
|
|
poldiff_stats_t *s;
|
|
BEGIN_EXCEPTION
|
|
s = poldiff_stats_create();
|
|
@@ -284,7 +284,7 @@ typedef struct poldiff_stats {} poldiff_stats_t;
|
|
fail:
|
|
return s;
|
|
};
|
|
- ~poldiff_stats_t() {
|
|
+ ~poldiff_stats() {
|
|
poldiff_stats_destroy(&self);
|
|
};
|
|
size_t get_stat(poldiff_form_e form) {
|
|
@@ -348,7 +348,7 @@ unsigned long to_ulong(void *x);
|
|
#endif
|
|
typedef struct poldiff {} poldiff_t;
|
|
%extend poldiff_t {
|
|
- poldiff_t(apol_policy_t *op, apol_policy_t *mp) {
|
|
+ poldiff(apol_policy_t *op, apol_policy_t *mp) {
|
|
poldiff_t *p;
|
|
BEGIN_EXCEPTION
|
|
p = poldiff_create(op, mp, poldiff_swig_message_callback, poldiff_swig_message_callback_arg);
|
|
@@ -360,10 +360,11 @@ typedef struct poldiff {} poldiff_t;
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~poldiff_t() {
|
|
+ ~poldiff() {
|
|
poldiff_destroy(&self);
|
|
};
|
|
- void run(uint32_t flags) {
|
|
+ %rename(run) wrap_run;
|
|
+ void wrap_run(uint32_t flags) {
|
|
BEGIN_EXCEPTION
|
|
if (poldiff_run(self, flags)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not run diff");
|
|
@@ -372,11 +373,13 @@ typedef struct poldiff {} poldiff_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- int is_run(uint32_t flags) {
|
|
+ %rename(is_run) wrap_is_run;
|
|
+ int wrap_is_run(uint32_t flags) {
|
|
return poldiff_is_run(self, flags);
|
|
};
|
|
%newobject get_stats(uint32_t);
|
|
- poldiff_stats_t *get_stats(uint32_t flags) {
|
|
+ %rename(get_stats) wrap_get_stats;
|
|
+ poldiff_stats_t *wrap_get_stats(uint32_t flags) {
|
|
poldiff_stats_t *s = NULL;
|
|
BEGIN_EXCEPTION
|
|
s = poldiff_stats_create();
|
|
@@ -392,7 +395,8 @@ typedef struct poldiff {} poldiff_t;
|
|
poldiff_stats_destroy(&s);
|
|
return NULL;
|
|
};
|
|
- void enable_line_numbers() {
|
|
+ %rename(enable_line_numbers) wrap_enable_line_numbers;
|
|
+ void wrap_enable_line_numbers() {
|
|
BEGIN_EXCEPTION
|
|
if (poldiff_enable_line_numbers(self)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not enable line numbers");
|
|
@@ -401,67 +405,88 @@ typedef struct poldiff {} poldiff_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const apol_vector_t *get_attrib_vector() {
|
|
+ %rename(get_attrib_vector) wrap_get_attrib_vector;
|
|
+ const apol_vector_t *wrap_get_attrib_vector() {
|
|
return poldiff_get_attrib_vector(self);
|
|
};
|
|
- const apol_vector_t *get_avrule_vector_allow() {
|
|
+ %rename(get_avrule_vector_allow) wrap_get_avrule_vector_allow;
|
|
+ const apol_vector_t *wrap_get_avrule_vector_allow() {
|
|
return poldiff_get_avrule_vector_allow(self);
|
|
};
|
|
- const apol_vector_t *get_avrule_vector_auditallow() {
|
|
+ %rename(get_avrule_vector_auditallow) wrap_get_avrule_vector_auditallow;
|
|
+ const apol_vector_t *wrap_get_avrule_vector_auditallow() {
|
|
return poldiff_get_avrule_vector_auditallow(self);
|
|
};
|
|
- const apol_vector_t *get_avrule_vector_dontaudit() {
|
|
+ %rename(get_avrule_vector_dontaudit) wrap_get_avrule_vector_dontaudit;
|
|
+ const apol_vector_t *wrap_get_avrule_vector_dontaudit() {
|
|
return poldiff_get_avrule_vector_dontaudit(self);
|
|
};
|
|
- const apol_vector_t *get_avrule_vector_neverallow() {
|
|
+ %rename(get_avrule_vector_neverallow) wrap_get_avrule_vector_neverallow;
|
|
+ const apol_vector_t *wrap_get_avrule_vector_neverallow() {
|
|
return poldiff_get_avrule_vector_neverallow(self);
|
|
};
|
|
- const apol_vector_t *get_bool_vector() {
|
|
+ %rename(get_bool_vector) wrap_get_bool_vector;
|
|
+ const apol_vector_t *wrap_get_bool_vector() {
|
|
return poldiff_get_bool_vector(self);
|
|
};
|
|
- const apol_vector_t *get_cat_vector() {
|
|
+ %rename(get_cat_vector) wrap_get_cat_vector;
|
|
+ const apol_vector_t *wrap_get_cat_vector() {
|
|
return poldiff_get_cat_vector(self);
|
|
};
|
|
- const apol_vector_t *get_class_vector() {
|
|
+ %rename(get_class_vector) wrap_get_class_vector;
|
|
+ const apol_vector_t *wrap_get_class_vector() {
|
|
return poldiff_get_class_vector(self);
|
|
};
|
|
- const apol_vector_t *get_common_vector() {
|
|
+ %rename(get_common_vector) wrap_get_common_vector;
|
|
+ const apol_vector_t *wrap_get_common_vector() {
|
|
return poldiff_get_common_vector(self);
|
|
};
|
|
- const apol_vector_t *get_level_vector() {
|
|
+ %rename(get_level_vector) wrap_get_level_vector;
|
|
+ const apol_vector_t *wrap_get_level_vector() {
|
|
return poldiff_get_level_vector(self);
|
|
};
|
|
- const apol_vector_t *get_range_trans_vector() {
|
|
+ %rename(get_range_trans_vector) wrap_get_range_trans_vector;
|
|
+ const apol_vector_t *wrap_get_range_trans_vector() {
|
|
return poldiff_get_range_trans_vector(self);
|
|
};
|
|
- const apol_vector_t *get_role_allow_vector() {
|
|
+ %rename(get_role_allow_vector) wrap_get_role_allow_vector;
|
|
+ const apol_vector_t *wrap_get_role_allow_vector() {
|
|
return poldiff_get_role_allow_vector(self);
|
|
};
|
|
- const apol_vector_t *get_role_trans_vector() {
|
|
+ %rename(get_role_trans_vector) wrap_get_role_trans_vector;
|
|
+ const apol_vector_t *wrap_get_role_trans_vector() {
|
|
return poldiff_get_role_trans_vector(self);
|
|
};
|
|
- const apol_vector_t *get_role_vector() {
|
|
+ %rename(get_role_vector) wrap_get_role_vector;
|
|
+ const apol_vector_t *wrap_get_role_vector() {
|
|
return poldiff_get_role_vector(self);
|
|
};
|
|
- const apol_vector_t *get_terule_vector_change() {
|
|
+ %rename(get_terule_vector_change) wrap_get_terule_vector_change;
|
|
+ const apol_vector_t *wrap_get_terule_vector_change() {
|
|
return poldiff_get_terule_vector_change(self);
|
|
};
|
|
- const apol_vector_t *get_terule_vector_member() {
|
|
+ %rename(get_terule_vector_member) wrap_get_terule_vector_member;
|
|
+ const apol_vector_t *wrap_get_terule_vector_member() {
|
|
return poldiff_get_terule_vector_member(self);
|
|
};
|
|
- const apol_vector_t *get_terule_vector_trans() {
|
|
+ %rename(get_terule_vector_trans) wrap_get_terule_vector_trans;
|
|
+ const apol_vector_t *wrap_get_terule_vector_trans() {
|
|
return poldiff_get_terule_vector_trans(self);
|
|
};
|
|
- const apol_vector_t *get_type_vector() {
|
|
+ %rename(get_type_vector) wrap_get_type_vector;
|
|
+ const apol_vector_t *wrap_get_type_vector() {
|
|
return poldiff_get_type_vector(self);
|
|
};
|
|
- const apol_vector_t *get_user_vector() {
|
|
+ %rename(get_user_vector) wrap_get_user_vector;
|
|
+ const apol_vector_t *wrap_get_user_vector() {
|
|
return poldiff_get_user_vector(self);
|
|
};
|
|
- const apol_vector_t *get_type_remap_entries() {
|
|
+ %rename(get_type_remap_entries) wrap_get_type_remap_entries;
|
|
+ const apol_vector_t *wrap_get_type_remap_entries() {
|
|
return poldiff_type_remap_get_entries(self);
|
|
};
|
|
- void type_remap_create(apol_string_vector_t *orig_types, apol_string_vector_t *mod_types) {
|
|
+ %rename(type_remap_create) wrap_type_remap_create;
|
|
+ void wrap_type_remap_create(apol_string_vector_t *orig_types, apol_string_vector_t *mod_types) {
|
|
BEGIN_EXCEPTION
|
|
if (poldiff_type_remap_create(self, (apol_vector_t*)orig_types, (apol_vector_t*)mod_types)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not remap types");
|
|
@@ -478,19 +503,20 @@ typedef struct poldiff {} poldiff_t;
|
|
/* attribute diff */
|
|
typedef struct poldiff_attrib {} poldiff_attrib_t;
|
|
%extend poldiff_attrib_t {
|
|
- poldiff_attrib_t () {
|
|
+ poldiff_attrib () {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_attrib_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~poldiff_attrib_t() {
|
|
+ ~poldiff_attrib() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
%newobject to_string(poldiff_t*);
|
|
- char *to_string(poldiff_t *p) {
|
|
+ %rename(to_string) wrap_to_string;
|
|
+ char *wrap_to_string(poldiff_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = poldiff_attrib_to_string(p, self);
|
|
@@ -501,16 +527,20 @@ typedef struct poldiff_attrib {} poldiff_attrib_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- const char *get_name() {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name() {
|
|
return poldiff_attrib_get_name(self);
|
|
};
|
|
- poldiff_form_e get_form() {
|
|
+ %rename(get_form) wrap_get_form;
|
|
+ poldiff_form_e wrap_get_form() {
|
|
return poldiff_attrib_get_form(self);
|
|
};
|
|
- const apol_string_vector_t *get_added_types() {
|
|
+ %rename(get_added_types) wrap_get_added_types;
|
|
+ const apol_string_vector_t *wrap_get_added_types() {
|
|
return (apol_string_vector_t*)poldiff_attrib_get_added_types(self);
|
|
};
|
|
- const apol_string_vector_t *get_removed_types() {
|
|
+ %rename(get_removed_types) wrap_get_removed_types;
|
|
+ const apol_string_vector_t *wrap_get_removed_types() {
|
|
return (apol_string_vector_t*)poldiff_attrib_get_removed_types(self);
|
|
};
|
|
};
|
|
@@ -523,19 +553,20 @@ typedef struct poldiff_attrib {} poldiff_attrib_t;
|
|
/* av rule diff */
|
|
typedef struct poldiff_avrule {} poldiff_avrule_t;
|
|
%extend poldiff_avrule_t {
|
|
- poldiff_avrule_t() {
|
|
+ poldiff_avrule() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_avrule_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~poldiff_avrule_t() {
|
|
+ ~poldiff_avrule() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
%newobject to_string(poldiff_t*);
|
|
- char *to_string(poldiff_t *p) {
|
|
+ %rename(to_string) wrap_to_string;
|
|
+ char *wrap_to_string(poldiff_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = poldiff_avrule_to_string(p, self);
|
|
@@ -546,22 +577,28 @@ typedef struct poldiff_avrule {} poldiff_avrule_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- poldiff_form_e get_form() {
|
|
+ %rename(get_form) wrap_get_form;
|
|
+ poldiff_form_e wrap_get_form() {
|
|
return poldiff_avrule_get_form(self);
|
|
};
|
|
- uint32_t get_rule_type() {
|
|
+ %rename(get_rule_type) wrap_get_rule_type;
|
|
+ uint32_t wrap_get_rule_type() {
|
|
return poldiff_avrule_get_rule_type(self);
|
|
};
|
|
- const char *get_source_type() {
|
|
+ %rename(get_source_type) wrap_get_source_type;
|
|
+ const char *wrap_get_source_type() {
|
|
return poldiff_avrule_get_source_type(self);
|
|
};
|
|
- const char *get_target_type() {
|
|
+ %rename(get_target_type) wrap_get_target_type;
|
|
+ const char *wrap_get_target_type() {
|
|
return poldiff_avrule_get_target_type(self);
|
|
};
|
|
- const char *get_object_class() {
|
|
+ %rename(get_object_class) wrap_get_object_class;
|
|
+ const char *wrap_get_object_class() {
|
|
return poldiff_avrule_get_object_class(self);
|
|
};
|
|
- const qpol_cond_t *get_cond(poldiff_t *p) {
|
|
+ %rename(get_cond) wrap_get_cond;
|
|
+ const qpol_cond_t *wrap_get_cond(poldiff_t *p) {
|
|
const qpol_cond_t *cond;
|
|
uint32_t which_list;
|
|
const apol_policy_t *which_pol;
|
|
@@ -582,20 +619,25 @@ typedef struct poldiff_avrule {} poldiff_avrule_t;
|
|
poldiff_avrule_get_cond(p, self, &cond, &which_list, &which_pol);
|
|
return which_pol;
|
|
};
|
|
- const apol_string_vector_t *get_unmodified_perms() {
|
|
+ %rename(get_unmodified_perms) wrap_get_unmodified_perms;
|
|
+ const apol_string_vector_t *wrap_get_unmodified_perms() {
|
|
return (apol_string_vector_t*)poldiff_avrule_get_unmodified_perms(self);
|
|
};
|
|
- const apol_string_vector_t *get_added_perms() {
|
|
+ %rename(get_added_perms) wrap_get_added_perms;
|
|
+ const apol_string_vector_t *wrap_get_added_perms() {
|
|
return (apol_string_vector_t*)poldiff_avrule_get_added_perms(self);
|
|
};
|
|
- const apol_string_vector_t *get_removed_perms() {
|
|
+ %rename(get_removed_perms) wrap_get_removed_perms;
|
|
+ const apol_string_vector_t *wrap_get_removed_perms() {
|
|
return (apol_string_vector_t*)poldiff_avrule_get_removed_perms(self);
|
|
};
|
|
- const apol_vector_t *get_orig_line_numbers() {
|
|
+ %rename(get_orig_line_numbers) wrap_get_orig_line_numbers;
|
|
+ const apol_vector_t *wrap_get_orig_line_numbers() {
|
|
return poldiff_avrule_get_orig_line_numbers(self);
|
|
};
|
|
%newobject get_orig_line_numbers_for_perm(poldiff_t*, char*);
|
|
- apol_vector_t *get_orig_line_numbers_for_perm(poldiff_t *p, char *perm) {
|
|
+ %rename(get_orig_line_numbers_for_perm) wrap_get_orig_line_numbers_for_perm;
|
|
+ apol_vector_t *wrap_get_orig_line_numbers_for_perm(poldiff_t *p, char *perm) {
|
|
apol_vector_t *v;
|
|
BEGIN_EXCEPTION
|
|
v = poldiff_avrule_get_orig_line_numbers_for_perm(p, self, perm);
|
|
@@ -606,11 +648,13 @@ typedef struct poldiff_avrule {} poldiff_avrule_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- const apol_vector_t *get_mod_line_numbers() {
|
|
+ %rename(get_mod_line_numbers) wrap_get_mod_line_numbers;
|
|
+ const apol_vector_t *wrap_get_mod_line_numbers() {
|
|
return poldiff_avrule_get_mod_line_numbers(self);
|
|
};
|
|
%newobject get_mod_line_numbers_for_perm(poldiff_t*, char*);
|
|
- apol_vector_t *get_mod_line_numbers_for_perm(poldiff_t *p, char *perm) {
|
|
+ %rename(get_mod_line_numbers_for_perm) wrap_get_mod_line_numbers_for_perm;
|
|
+ apol_vector_t *wrap_get_mod_line_numbers_for_perm(poldiff_t *p, char *perm) {
|
|
apol_vector_t *v;
|
|
BEGIN_EXCEPTION
|
|
v = poldiff_avrule_get_mod_line_numbers_for_perm(p, self, perm);
|
|
@@ -631,19 +675,20 @@ typedef struct poldiff_avrule {} poldiff_avrule_t;
|
|
/* boolean diff */
|
|
typedef struct poldiff_bool {} poldiff_bool_t;
|
|
%extend poldiff_bool_t {
|
|
- poldiff_bool_t() {
|
|
+ poldiff_bool() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_bool_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~poldiff_bool_t() {
|
|
+ ~poldiff_bool() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
%newobject to_string(poldiff_t*);
|
|
- char *to_string(poldiff_t *p) {
|
|
+ %rename(to_string) wrap_to_string;
|
|
+ char *wrap_to_string(poldiff_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = poldiff_bool_to_string(p, self);
|
|
@@ -654,10 +699,12 @@ typedef struct poldiff_bool {} poldiff_bool_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- const char *get_name() {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name() {
|
|
return poldiff_bool_get_name(self);
|
|
};
|
|
- poldiff_form_e get_form() {
|
|
+ %rename(get_form) wrap_get_form;
|
|
+ poldiff_form_e wrap_get_form() {
|
|
return poldiff_bool_get_form(self);
|
|
};
|
|
};
|
|
@@ -670,19 +717,20 @@ typedef struct poldiff_bool {} poldiff_bool_t;
|
|
/* category diff */
|
|
typedef struct poldiff_cat {} poldiff_cat_t;
|
|
%extend poldiff_cat_t {
|
|
- poldiff_cat_t() {
|
|
+ poldiff_cat() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_cat_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~poldiff_cat_t() {
|
|
+ ~poldiff_cat() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
%newobject to_string(poldiff_t*);
|
|
- char *to_string(poldiff_t *p) {
|
|
+ %rename(to_string) wrap_to_string;
|
|
+ char *wrap_to_string(poldiff_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = poldiff_cat_to_string(p, self);
|
|
@@ -693,10 +741,12 @@ typedef struct poldiff_cat {} poldiff_cat_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- const char *get_name() {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name() {
|
|
return poldiff_cat_get_name(self);
|
|
};
|
|
- poldiff_form_e get_form() {
|
|
+ %rename(get_form) wrap_get_form;
|
|
+ poldiff_form_e wrap_get_form() {
|
|
return poldiff_cat_get_form(self);
|
|
};
|
|
};
|
|
@@ -709,19 +759,20 @@ typedef struct poldiff_cat {} poldiff_cat_t;
|
|
/* class diff */
|
|
typedef struct poldiff_class {} poldiff_class_t;
|
|
%extend poldiff_class_t {
|
|
- poldiff_class_t() {
|
|
+ poldiff_class() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_class_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~poldiff_class_t() {
|
|
+ ~poldiff_class() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
%newobject to_string(poldiff_t*);
|
|
- char *to_string(poldiff_t *p) {
|
|
+ %rename(to_string) wrap_to_string;
|
|
+ char *wrap_to_string(poldiff_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = poldiff_class_to_string(p, self);
|
|
@@ -732,16 +783,20 @@ typedef struct poldiff_class {} poldiff_class_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- const char *get_name() {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name() {
|
|
return poldiff_class_get_name(self);
|
|
};
|
|
- poldiff_form_e get_form() {
|
|
+ %rename(get_form) wrap_get_form;
|
|
+ poldiff_form_e wrap_get_form() {
|
|
return poldiff_class_get_form(self);
|
|
};
|
|
- const apol_string_vector_t *get_added_perms() {
|
|
+ %rename(get_added_perms) wrap_get_added_perms;
|
|
+ const apol_string_vector_t *wrap_get_added_perms() {
|
|
return (apol_string_vector_t*)poldiff_class_get_added_perms(self);
|
|
};
|
|
- const apol_string_vector_t *get_removed_perms() {
|
|
+ %rename(get_removed_perms) wrap_get_removed_perms;
|
|
+ const apol_string_vector_t *wrap_get_removed_perms() {
|
|
return (apol_string_vector_t*)poldiff_class_get_removed_perms(self);
|
|
};
|
|
};
|
|
@@ -754,19 +809,20 @@ typedef struct poldiff_class {} poldiff_class_t;
|
|
/* common diff */
|
|
typedef struct poldiff_common {} poldiff_common_t;
|
|
%extend poldiff_common_t {
|
|
- poldiff_common_t() {
|
|
+ poldiff_common() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_common_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~poldiff_common_t() {
|
|
+ ~poldiff_common() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
%newobject to_string(poldiff_t*);
|
|
- char *to_string(poldiff_t *p) {
|
|
+ %rename(to_string) wrap_to_string;
|
|
+ char *wrap_to_string(poldiff_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = poldiff_common_to_string(p, self);
|
|
@@ -777,16 +833,20 @@ typedef struct poldiff_common {} poldiff_common_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- const char *get_name() {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name() {
|
|
return poldiff_common_get_name(self);
|
|
};
|
|
- poldiff_form_e get_form() {
|
|
+ %rename(get_form) wrap_get_form;
|
|
+ poldiff_form_e wrap_get_form() {
|
|
return poldiff_common_get_form(self);
|
|
};
|
|
- const apol_string_vector_t *get_added_perms() {
|
|
+ %rename(get_added_perms) wrap_get_added_perms;
|
|
+ const apol_string_vector_t *wrap_get_added_perms() {
|
|
return (apol_string_vector_t*)poldiff_common_get_added_perms(self);
|
|
};
|
|
- const apol_string_vector_t *get_removed_perms() {
|
|
+ %rename(get_removed_perms) wrap_get_removed_perms;
|
|
+ const apol_string_vector_t *wrap_get_removed_perms() {
|
|
return (apol_string_vector_t*)poldiff_common_get_removed_perms(self);
|
|
};
|
|
};
|
|
@@ -799,19 +859,20 @@ typedef struct poldiff_common {} poldiff_common_t;
|
|
/* level diff */
|
|
typedef struct poldiff_level {} poldiff_level_t;
|
|
%extend poldiff_level_t {
|
|
- poldiff_level_t() {
|
|
+ poldiff_level() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_level_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~poldiff_level_t() {
|
|
+ ~poldiff_level() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
%newobject to_string(poldiff_t*);
|
|
- char *to_string(poldiff_t *p) {
|
|
+ %rename(to_string) wrap_to_string;
|
|
+ char *wrap_to_string(poldiff_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = poldiff_level_to_string(p, self);
|
|
@@ -823,7 +884,8 @@ typedef struct poldiff_level {} poldiff_level_t;
|
|
return str;
|
|
};
|
|
%newobject to_string_brief(poldiff_t*);
|
|
- char *to_string(poldiff_t *p) {
|
|
+ %rename(to_string_brief) wrap_to_string_brief;
|
|
+ char *wrap_to_string_brief(poldiff_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = poldiff_level_to_string_brief(p, self);
|
|
@@ -834,19 +896,24 @@ typedef struct poldiff_level {} poldiff_level_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- const char *get_name() {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name() {
|
|
return poldiff_level_get_name(self);
|
|
};
|
|
- poldiff_form_e get_form() {
|
|
+ %rename(get_form) wrap_get_form;
|
|
+ poldiff_form_e wrap_get_form() {
|
|
return poldiff_level_get_form(self);
|
|
};
|
|
- const apol_string_vector_t *get_unmodified_cats() {
|
|
+ %rename(get_unmodified_cats) wrap_get_unmodified_cats;
|
|
+ const apol_string_vector_t *wrap_get_unmodified_cats() {
|
|
return (apol_string_vector_t*)poldiff_level_get_unmodified_cats(self);
|
|
};
|
|
- const apol_string_vector_t *get_added_cats() {
|
|
+ %rename(get_added_cats) wrap_get_added_cats;
|
|
+ const apol_string_vector_t *wrap_get_added_cats() {
|
|
return (apol_string_vector_t*)poldiff_level_get_added_cats(self);
|
|
};
|
|
- const apol_string_vector_t *get_removed_cats() {
|
|
+ %rename(get_removed_cats) wrap_get_removed_cats;
|
|
+ const apol_string_vector_t *wrap_get_removed_cats() {
|
|
return (apol_string_vector_t*)poldiff_level_get_removed_cats(self);
|
|
};
|
|
};
|
|
@@ -859,14 +926,14 @@ typedef struct poldiff_level {} poldiff_level_t;
|
|
/* range diff */
|
|
typedef struct poldiff_range {} poldiff_range_t;
|
|
%extend poldiff_range_t {
|
|
- poldiff_range_t() {
|
|
+ poldiff_range() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_range_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~poldiff_range_t() {
|
|
+ ~poldiff_range() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
@@ -882,22 +949,28 @@ typedef struct poldiff_range {} poldiff_range_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- const apol_vector_t *get_levels() {
|
|
+ %rename(get_levels) wrap_get_levels;
|
|
+ const apol_vector_t *wrap_get_levels() {
|
|
return poldiff_range_get_levels(self);
|
|
};
|
|
- const apol_mls_range_t *get_original_range() {
|
|
+ %rename(get_original_range) wrap_get_original_range;
|
|
+ const apol_mls_range_t *wrap_get_original_range() {
|
|
return poldiff_range_get_original_range(self);
|
|
};
|
|
- const apol_mls_range_t *get_modified_range() {
|
|
+ %rename(get_modified_range) wrap_get_modified_range;
|
|
+ const apol_mls_range_t *wrap_get_modified_range() {
|
|
return poldiff_range_get_modified_range(self);
|
|
};
|
|
- const apol_string_vector_t *get_min_added_cats() {
|
|
+ %rename(get_min_added_cats) wrap_get_min_added_cats;
|
|
+ const apol_string_vector_t *wrap_get_min_added_cats() {
|
|
return (apol_string_vector_t*)poldiff_range_get_min_added_cats(self);
|
|
};
|
|
- const apol_string_vector_t *get_min_removed_cats() {
|
|
+ %rename(get_min_removed_cats) wrap_get_min_removed_cats;
|
|
+ const apol_string_vector_t *wrap_get_min_removed_cats() {
|
|
return (apol_string_vector_t*)poldiff_range_get_min_removed_cats(self);
|
|
};
|
|
- const apol_string_vector_t *get_min_unmodified_cats() {
|
|
+ %rename(get_min_unmodified_cats) wrap_get_min_unmodified_cats;
|
|
+ const apol_string_vector_t *wrap_get_min_unmodified_cats() {
|
|
return (apol_string_vector_t*)poldiff_range_get_min_unmodified_cats(self);
|
|
};
|
|
};
|
|
@@ -910,19 +983,20 @@ typedef struct poldiff_range {} poldiff_range_t;
|
|
/* range_transition rule diff */
|
|
typedef struct poldiff_range_trans {} poldiff_range_trans_t;
|
|
%extend poldiff_range_trans_t {
|
|
- poldiff_range_trans_t() {
|
|
+ poldiff_range_trans() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_range_trans_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~poldiff_range_trans_t() {
|
|
+ ~poldiff_range_trans() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
%newobject to_string(poldiff_t*);
|
|
- char *to_string(poldiff_t *p) {
|
|
+ %rename(to_string) wrap_to_string;
|
|
+ char *wrap_to_string(poldiff_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = poldiff_range_trans_to_string(p, self);
|
|
@@ -933,19 +1007,24 @@ typedef struct poldiff_range_trans {} poldiff_range_trans_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- poldiff_form_e get_form() {
|
|
+ %rename(get_form) wrap_get_form;
|
|
+ poldiff_form_e wrap_get_form() {
|
|
return poldiff_range_trans_get_form(self);
|
|
};
|
|
- const char *get_source_type() {
|
|
+ %rename(get_source_type) wrap_get_source_type;
|
|
+ const char *wrap_get_source_type() {
|
|
return poldiff_range_trans_get_source_type(self);
|
|
};
|
|
- const char *get_target_type() {
|
|
+ %rename(get_target_type) wrap_get_target_type;
|
|
+ const char *wrap_get_target_type() {
|
|
return poldiff_range_trans_get_target_type(self);
|
|
};
|
|
- const char *get_target_class() {
|
|
+ %rename(get_target_class) wrap_get_target_class;
|
|
+ const char *wrap_get_target_class() {
|
|
return poldiff_range_trans_get_target_class(self);
|
|
};
|
|
- const poldiff_range_t *get_range() {
|
|
+ %rename(get_range) wrap_get_range;
|
|
+ const poldiff_range_t *wrap_get_range() {
|
|
return poldiff_range_trans_get_range(self);
|
|
};
|
|
};
|
|
@@ -958,19 +1037,20 @@ typedef struct poldiff_range_trans {} poldiff_range_trans_t;
|
|
/* role allow rule diff */
|
|
typedef struct poldiff_role_allow {} poldiff_role_allow_t;
|
|
%extend poldiff_role_allow_t {
|
|
- poldiff_role_allow_t() {
|
|
+ poldiff_role_allow() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_role_allow_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~poldiff_role_allow_t() {
|
|
+ ~poldiff_role_allow() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
%newobject to_string(poldiff_t*);
|
|
- char *to_string(poldiff_t *p) {
|
|
+ %rename(to_string) wrap_to_string;
|
|
+ char *wrap_to_string(poldiff_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = poldiff_role_allow_to_string(p, self);
|
|
@@ -981,19 +1061,24 @@ typedef struct poldiff_role_allow {} poldiff_role_allow_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- const char *get_name() {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name() {
|
|
return poldiff_role_allow_get_name(self);
|
|
};
|
|
- poldiff_form_e get_form() {
|
|
+ %rename(get_form) wrap_get_form;
|
|
+ poldiff_form_e wrap_get_form() {
|
|
return poldiff_role_allow_get_form(self);
|
|
};
|
|
- const apol_string_vector_t *get_unmodified_roles() {
|
|
+ %rename(get_unmodified_roles) wrap_get_unmodified_roles;
|
|
+ const apol_string_vector_t *wrap_get_unmodified_roles() {
|
|
return (apol_string_vector_t*)poldiff_role_allow_get_unmodified_roles(self);
|
|
};
|
|
- const apol_string_vector_t *get_added_roles() {
|
|
+ %rename(get_added_roles) wrap_get_added_roles;
|
|
+ const apol_string_vector_t *wrap_get_added_roles() {
|
|
return (apol_string_vector_t*)poldiff_role_allow_get_added_roles(self);
|
|
};
|
|
- const apol_string_vector_t *get_removed_roles() {
|
|
+ %rename(get_removed_roles) wrap_get_removed_roles;
|
|
+ const apol_string_vector_t *wrap_get_removed_roles() {
|
|
return (apol_string_vector_t*)poldiff_role_allow_get_removed_roles(self);
|
|
};
|
|
};
|
|
@@ -1006,19 +1091,20 @@ typedef struct poldiff_role_allow {} poldiff_role_allow_t;
|
|
/* role_transition rule diff */
|
|
typedef struct poldiff_role_trans {} poldiff_role_trans_t;
|
|
%extend poldiff_role_trans_t {
|
|
- poldiff_role_trans_t() {
|
|
+ poldiff_role_trans() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_role_trans_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~poldiff_role_trans_t() {
|
|
+ ~poldiff_role_trans() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
%newobject to_string(poldiff_t*);
|
|
- char *to_string(poldiff_t *p) {
|
|
+ %rename(to_string) wrap_to_string;
|
|
+ char *wrap_to_string(poldiff_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = poldiff_role_trans_to_string(p, self);
|
|
@@ -1029,19 +1115,24 @@ typedef struct poldiff_role_trans {} poldiff_role_trans_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- poldiff_form_e get_form() {
|
|
+ %rename(get_form) wrap_get_form;
|
|
+ poldiff_form_e wrap_get_form() {
|
|
return poldiff_role_trans_get_form(self);
|
|
};
|
|
- const char *get_source_role() {
|
|
+ %rename(get_source_role) wrap_get_source_role;
|
|
+ const char *wrap_get_source_role() {
|
|
return poldiff_role_trans_get_source_role(self);
|
|
};
|
|
- const char *get_target_type() {
|
|
+ %rename(get_target_type) wrap_get_target_type;
|
|
+ const char *wrap_get_target_type() {
|
|
return poldiff_role_trans_get_target_type(self);
|
|
};
|
|
- const char *get_original_default() {
|
|
+ %rename(get_original_default) wrap_get_original_default;
|
|
+ const char *wrap_get_original_default() {
|
|
return poldiff_role_trans_get_original_default(self);
|
|
};
|
|
- const char *get_modified_default() {
|
|
+ %rename(get_modified_default) wrap_get_modified_default;
|
|
+ const char *wrap_get_modified_default() {
|
|
return poldiff_role_trans_get_modified_default(self);
|
|
};
|
|
};
|
|
@@ -1054,19 +1145,20 @@ typedef struct poldiff_role_trans {} poldiff_role_trans_t;
|
|
/* role diff */
|
|
typedef struct poldiff_role {} poldiff_role_t;
|
|
%extend poldiff_role_t {
|
|
- poldiff_role_t() {
|
|
+ poldiff_role() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_role_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~poldiff_role_t() {
|
|
+ ~poldiff_role() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
%newobject to_string(poldiff_t*);
|
|
- char *to_string(poldiff_t *p) {
|
|
+ %rename(to_string) wrap_to_string;
|
|
+ char *wrap_to_string(poldiff_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = poldiff_role_to_string(p, self);
|
|
@@ -1077,16 +1169,20 @@ typedef struct poldiff_role {} poldiff_role_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- const char *get_name() {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name() {
|
|
return poldiff_role_get_name(self);
|
|
};
|
|
- poldiff_form_e get_form() {
|
|
+ %rename(get_form) wrap_get_form;
|
|
+ poldiff_form_e wrap_get_form() {
|
|
return poldiff_role_get_form(self);
|
|
};
|
|
- const apol_string_vector_t *get_added_types() {
|
|
+ %rename(get_added_types) wrap_get_added_types;
|
|
+ const apol_string_vector_t *wrap_get_added_types() {
|
|
return (apol_string_vector_t*)poldiff_role_get_added_types(self);
|
|
};
|
|
- const apol_string_vector_t *get_removed_types() {
|
|
+ %rename(get_removed_types) wrap_get_removed_types;
|
|
+ const apol_string_vector_t *wrap_get_removed_types() {
|
|
return (apol_string_vector_t*)poldiff_role_get_removed_types(self);
|
|
};
|
|
};
|
|
@@ -1099,19 +1195,20 @@ typedef struct poldiff_role {} poldiff_role_t;
|
|
/* te rule diff */
|
|
typedef struct poldiff_terule {} poldiff_terule_t;
|
|
%extend poldiff_terule_t {
|
|
- poldiff_terule_t() {
|
|
+ poldiff_terule() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_terule_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~poldiff_terule_t() {
|
|
+ ~poldiff_terule() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
%newobject to_string(poldiff_t*);
|
|
- char *to_string(poldiff_t *p) {
|
|
+ %rename(to_string) wrap_to_string;
|
|
+ char *wrap_to_string(poldiff_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = poldiff_terule_to_string(p, self);
|
|
@@ -1122,22 +1219,28 @@ typedef struct poldiff_terule {} poldiff_terule_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- poldiff_form_e get_form() {
|
|
+ %rename(get_form) wrap_get_form;
|
|
+ poldiff_form_e wrap_get_form() {
|
|
return poldiff_terule_get_form(self);
|
|
};
|
|
- uint32_t get_rule_type() {
|
|
+ %rename(get_rule_type) wrap_get_rule_type;
|
|
+ uint32_t wrap_get_rule_type() {
|
|
return poldiff_terule_get_rule_type(self);
|
|
};
|
|
- const char *get_source_type() {
|
|
+ %rename(get_source_type) wrap_get_source_type;
|
|
+ const char *wrap_get_source_type() {
|
|
return poldiff_terule_get_source_type(self);
|
|
};
|
|
- const char *get_target_type() {
|
|
+ %rename(get_target_type) wrap_get_target_type;
|
|
+ const char *wrap_get_target_type() {
|
|
return poldiff_terule_get_target_type(self);
|
|
};
|
|
- const char *get_object_class() {
|
|
+ %rename(get_object_class) wrap_get_object_class;
|
|
+ const char *wrap_get_object_class() {
|
|
return poldiff_terule_get_object_class(self);
|
|
};
|
|
- const qpol_cond_t *get_cond(poldiff_t *p) {
|
|
+ %rename(get_cond) wrap_get_cond;
|
|
+ const qpol_cond_t *wrap_get_cond(poldiff_t *p) {
|
|
const qpol_cond_t *cond;
|
|
uint32_t which_list;
|
|
const apol_policy_t *which_pol;
|
|
@@ -1158,16 +1261,20 @@ typedef struct poldiff_terule {} poldiff_terule_t;
|
|
poldiff_terule_get_cond(p, self, &cond, &which_list, &which_pol);
|
|
return which_pol;
|
|
};
|
|
- const char *get_original_default() {
|
|
+ %rename(get_original_default) wrap_get_original_default;
|
|
+ const char *wrap_get_original_default() {
|
|
return poldiff_terule_get_original_default(self);
|
|
};
|
|
- const char *get_modified_default() {
|
|
+ %rename(get_modified_default) wrap_get_modified_default;
|
|
+ const char *wrap_get_modified_default() {
|
|
return poldiff_terule_get_modified_default(self);
|
|
};
|
|
- const apol_vector_t *get_orig_line_numbers() {
|
|
+ %rename(get_orig_line_numbers) wrap_get_orig_line_numbers;
|
|
+ const apol_vector_t *wrap_get_orig_line_numbers() {
|
|
return poldiff_terule_get_orig_line_numbers(self);
|
|
};
|
|
- const apol_vector_t *get_mod_line_numbers() {
|
|
+ %rename(get_mod_line_numbers) wrap_get_mod_line_numbers;
|
|
+ const apol_vector_t *wrap_get_mod_line_numbers() {
|
|
return poldiff_terule_get_mod_line_numbers(self);
|
|
};
|
|
};
|
|
@@ -1180,19 +1287,20 @@ typedef struct poldiff_terule {} poldiff_terule_t;
|
|
/* type diff */
|
|
typedef struct poldiff_type {} poldiff_type_t;
|
|
%extend poldiff_type_t {
|
|
- poldiff_type_t() {
|
|
+ poldiff_type() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_type_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~poldiff_type_t() {
|
|
+ ~poldiff_type() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
%newobject to_string(poldiff_t*);
|
|
- char *to_string(poldiff_t *p) {
|
|
+ %rename(to_string) wrap_to_string;
|
|
+ char *wrap_to_string(poldiff_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = poldiff_type_to_string(p, self);
|
|
@@ -1203,16 +1311,20 @@ typedef struct poldiff_type {} poldiff_type_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- const char *get_name() {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name() {
|
|
return poldiff_type_get_name(self);
|
|
};
|
|
- poldiff_form_e get_form() {
|
|
+ %rename(get_form) wrap_get_form;
|
|
+ poldiff_form_e wrap_get_form() {
|
|
return poldiff_type_get_form(self);
|
|
};
|
|
- const apol_string_vector_t *get_added_attribs() {
|
|
+ %rename(get_added_attribs) wrap_get_added_attribs;
|
|
+ const apol_string_vector_t *wrap_get_added_attribs() {
|
|
return (apol_string_vector_t*)poldiff_type_get_added_attribs(self);
|
|
};
|
|
- const apol_string_vector_t *get_removed_attribs() {
|
|
+ %rename(get_removed_attribs) wrap_get_removed_attribs;
|
|
+ const apol_string_vector_t *wrap_get_removed_attribs() {
|
|
return (apol_string_vector_t*)poldiff_type_get_removed_attribs(self);
|
|
};
|
|
};
|
|
@@ -1225,19 +1337,20 @@ typedef struct poldiff_type {} poldiff_type_t;
|
|
/* user diff */
|
|
typedef struct poldiff_user {} poldiff_user_t;
|
|
%extend poldiff_user_t {
|
|
- poldiff_user_t() {
|
|
+ poldiff_user() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_user_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~poldiff_user_t() {
|
|
+ ~poldiff_user() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
%newobject to_string(poldiff_t*);
|
|
- char *to_string(poldiff_t *p) {
|
|
+ %rename(to_string) wrap_to_string;
|
|
+ char *wrap_to_string(poldiff_t *p) {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = poldiff_user_to_string(p, self);
|
|
@@ -1248,28 +1361,36 @@ typedef struct poldiff_user {} poldiff_user_t;
|
|
fail:
|
|
return str;
|
|
};
|
|
- const char *get_name() {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name() {
|
|
return poldiff_user_get_name(self);
|
|
};
|
|
- poldiff_form_e get_form() {
|
|
+ %rename(get_form) wrap_get_form;
|
|
+ poldiff_form_e wrap_get_form() {
|
|
return poldiff_user_get_form(self);
|
|
};
|
|
- const apol_string_vector_t *get_unmodified_roles() {
|
|
+ %rename(get_unmodified_roles) wrap_get_unmodified_roles;
|
|
+ const apol_string_vector_t *wrap_get_unmodified_roles() {
|
|
return (apol_string_vector_t*)poldiff_user_get_unmodified_roles(self);
|
|
};
|
|
- const apol_string_vector_t *get_added_roles() {
|
|
+ %rename(get_added_roles) wrap_get_added_roles;
|
|
+ const apol_string_vector_t *wrap_get_added_roles() {
|
|
return (apol_string_vector_t*)poldiff_user_get_added_roles(self);
|
|
};
|
|
- const apol_string_vector_t *get_removed_roles() {
|
|
+ %rename(get_removed_roles) wrap_get_removed_roles;
|
|
+ const apol_string_vector_t *wrap_get_removed_roles() {
|
|
return (apol_string_vector_t*)poldiff_user_get_removed_roles(self);
|
|
};
|
|
- const poldiff_level_t *get_original_dfltlevel() {
|
|
+ %rename(get_original_dfltlevel) wrap_get_original_dfltlevel;
|
|
+ const poldiff_level_t *wrap_get_original_dfltlevel() {
|
|
return poldiff_user_get_original_dfltlevel(self);
|
|
};
|
|
- const poldiff_level_t *get_modified_dfltlevel() {
|
|
+ %rename(get_modified_dfltlevel) wrap_get_modified_dfltlevel;
|
|
+ const poldiff_level_t *wrap_get_modified_dfltlevel() {
|
|
return poldiff_user_get_modified_dfltlevel(self);
|
|
};
|
|
- const poldiff_range_t *get_range() {
|
|
+ %rename(get_range) wrap_get_range;
|
|
+ const poldiff_range_t *wrap_get_range() {
|
|
return poldiff_user_get_range(self);
|
|
};
|
|
};
|
|
@@ -1282,19 +1403,20 @@ typedef struct poldiff_user {} poldiff_user_t;
|
|
/* type remap */
|
|
typedef struct poldiff_type_remap_entry {} poldiff_type_remap_entry_t;
|
|
%extend poldiff_type_remap_entry_t {
|
|
- poldiff_type_remap_entry_t() {
|
|
+ poldiff_type_remap_entry() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_type_remap_entry_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~poldiff_type_remap_entry_t() {
|
|
+ ~poldiff_type_remap_entry() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
%newobject get_original_types(poldiff_t*);
|
|
- apol_string_vector_t *get_original_types(poldiff_t *p) {
|
|
+ %rename(get_original_types) wrap_get_original_types;
|
|
+ apol_string_vector_t *wrap_get_original_types(poldiff_t *p) {
|
|
apol_vector_t *v;
|
|
BEGIN_EXCEPTION
|
|
v = poldiff_type_remap_entry_get_original_types(p, self);
|
|
@@ -1306,7 +1428,8 @@ typedef struct poldiff_type_remap_entry {} poldiff_type_remap_entry_t;
|
|
return (apol_string_vector_t*)v;
|
|
};
|
|
%newobject get_modified_types(poldiff_t*);
|
|
- apol_string_vector_t *get_modified_types(poldiff_t *p) {
|
|
+ %rename(get_modified_types) wrap_get_modified_types;
|
|
+ apol_string_vector_t *wrap_get_modified_types(poldiff_t *p) {
|
|
apol_vector_t *v;
|
|
BEGIN_EXCEPTION
|
|
v = poldiff_type_remap_entry_get_modified_types(p, self);
|
|
@@ -1317,13 +1440,16 @@ typedef struct poldiff_type_remap_entry {} poldiff_type_remap_entry_t;
|
|
fail:
|
|
return (apol_string_vector_t*)v;
|
|
};
|
|
- int get_is_inferred() {
|
|
+ %rename(get_is_inferred) wrap_get_is_inferred;
|
|
+ int wrap_get_is_inferred() {
|
|
return poldiff_type_remap_entry_get_is_inferred(self);
|
|
};
|
|
- int get_is_enabled() {
|
|
+ %rename(get_is_enabled) wrap_get_is_enabled;
|
|
+ int wrap_get_is_enabled() {
|
|
return poldiff_type_remap_entry_get_is_enabled(self);
|
|
};
|
|
- void set_enabled(int enable) {
|
|
+ %rename(set_enabled) wrap_set_enabled;
|
|
+ void wrap_set_enabled(int enable) {
|
|
poldiff_type_remap_entry_set_enabled(self, enable);
|
|
};
|
|
};
|
|
diff --git a/libqpol/include/qpol/Makefile.am b/libqpol/include/qpol/Makefile.am
|
|
index 9b570e1..cfd4b12 100644
|
|
--- a/libqpol/include/qpol/Makefile.am
|
|
+++ b/libqpol/include/qpol/Makefile.am
|
|
@@ -7,6 +7,7 @@ qpol_HEADERS = \
|
|
cond_query.h \
|
|
constraint_query.h \
|
|
context_query.h \
|
|
+ default_object_query.h \
|
|
fs_use_query.h \
|
|
genfscon_query.h \
|
|
isid_query.h \
|
|
@@ -17,6 +18,7 @@ qpol_HEADERS = \
|
|
netifcon_query.h \
|
|
nodecon_query.h \
|
|
permissive_query.h \
|
|
+ bounds_query.h \
|
|
polcap_query.h \
|
|
policy.h \
|
|
policy_extend.h \
|
|
diff --git a/libqpol/include/qpol/bounds_query.h b/libqpol/include/qpol/bounds_query.h
|
|
new file mode 100644
|
|
index 0000000..da5e525
|
|
--- /dev/null
|
|
+++ b/libqpol/include/qpol/bounds_query.h
|
|
@@ -0,0 +1,162 @@
|
|
+/**
|
|
+ * @file
|
|
+ * Defines the public interface for searching and iterating over the permissive types.
|
|
+ *
|
|
+ * @author Richard Haines richard_c_haines@btinternet.com
|
|
+ *
|
|
+ * Copyright (C) 2006-2009 Tresys Technology, LLC
|
|
+ *
|
|
+ * This library is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU Lesser General Public
|
|
+ * License as published by the Free Software Foundation; either
|
|
+ * version 2.1 of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This library is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
+ * Lesser General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU Lesser General Public
|
|
+ * License along with this library; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
+ */
|
|
+
|
|
+#ifndef QPOL_BOUNDS_QUERY_H
|
|
+#define QPOL_BOUNDS_QUERY_H
|
|
+
|
|
+#ifdef __cplusplus
|
|
+extern "C"
|
|
+{
|
|
+#endif
|
|
+
|
|
+#include <stddef.h>
|
|
+#include <stdint.h>
|
|
+#include <qpol/iterator.h>
|
|
+#include <qpol/policy.h>
|
|
+
|
|
+
|
|
+ /************ TYPEBOUNDS *************/
|
|
+ typedef struct qpol_typebounds qpol_typebounds_t;
|
|
+
|
|
+/**
|
|
+ * Get an iterator for the typebounds types in a policy.
|
|
+ * @param policy The policy from which to create the iterator.
|
|
+ * @param iter Iterator over items of type qpol_isid_t returned.
|
|
+ * The caller is responsible for calling qpol_iterator_destroy
|
|
+ * to free memory used by this iterator.
|
|
+ * It is important to note that this iterator is only valid as long
|
|
+ * as the policy is unmodified.
|
|
+ * @return 0 on success and < 0 on failure; if the call fails,
|
|
+ * errno will be set and *iter will be NULL.
|
|
+ */
|
|
+ extern int qpol_policy_get_typebounds_iter(const qpol_policy_t *policy, qpol_iterator_t **iter);
|
|
+
|
|
+
|
|
+/**
|
|
+ * Get the name which identifies a typebounds type from its datum.
|
|
+ * @param policy The policy with which the type bounds type is associated.
|
|
+ * @param datum typebounds datum for which to get the name. Must be non-NULL.
|
|
+ * @param name Pointer to the string in which to store the name.
|
|
+ * Must be non-NULL. The caller should not free the string.
|
|
+ * @return Returns 0 on success and < 0 on failure; if the call fails,
|
|
+ * errno will be set and *name will be NULL.
|
|
+ */
|
|
+ extern int qpol_typebounds_get_parent_name(const qpol_policy_t *policy, const qpol_typebounds_t *datum, const char **name);
|
|
+
|
|
+/**
|
|
+ * Get the name which identifies a typebounds type from its datum.
|
|
+ * @param policy The policy with which the type bounds type is associated.
|
|
+ * @param datum typebounds datum for which to get the name. Must be non-NULL.
|
|
+ * @param name Pointer to the string in which to store the name.
|
|
+ * Must be non-NULL. The caller should not free the string.
|
|
+ * @return Returns 0 on success and < 0 on failure; if the call fails,
|
|
+ * errno will be set and *name will be NULL.
|
|
+ */
|
|
+ extern int qpol_typebounds_get_child_name(const qpol_policy_t *policy, const qpol_typebounds_t *datum, const char **name);
|
|
+
|
|
+ /************ ROLEBOUNDS *************/
|
|
+ typedef struct qpol_rolebounds qpol_rolebounds_t;
|
|
+
|
|
+/**
|
|
+ * Get an iterator for the rolebounds types in a policy.
|
|
+ * @param policy The policy from which to create the iterator.
|
|
+ * @param iter Iterator over items of type qpol_isid_t returned.
|
|
+ * The caller is responsible for calling qpol_iterator_destroy
|
|
+ * to free memory used by this iterator.
|
|
+ * It is important to note that this iterator is only valid as long
|
|
+ * as the policy is unmodified.
|
|
+ * @return 0 on success and < 0 on failure; if the call fails,
|
|
+ * errno will be set and *iter will be NULL.
|
|
+ */
|
|
+ extern int qpol_policy_get_rolebounds_iter(const qpol_policy_t *policy, qpol_iterator_t **iter);
|
|
+
|
|
+
|
|
+/**
|
|
+ * Get the name which identifies a rolebounds type from its datum.
|
|
+ * @param policy The policy with which the type bounds type is associated.
|
|
+ * @param datum rolebounds datum for which to get the name. Must be non-NULL.
|
|
+ * @param name Pointer to the string in which to store the name.
|
|
+ * Must be non-NULL. The caller should not free the string.
|
|
+ * @return Returns 0 on success and < 0 on failure; if the call fails,
|
|
+ * errno will be set and *name will be NULL.
|
|
+ */
|
|
+ extern int qpol_rolebounds_get_parent_name(const qpol_policy_t *policy, const qpol_rolebounds_t *datum, const char **name);
|
|
+
|
|
+/**
|
|
+ * Get the name which identifies a rolebounds type from its datum.
|
|
+ * @param policy The policy with which the type bounds type is associated.
|
|
+ * @param datum rolebounds datum for which to get the name. Must be non-NULL.
|
|
+ * @param name Pointer to the string in which to store the name.
|
|
+ * Must be non-NULL. The caller should not free the string.
|
|
+ * @return Returns 0 on success and < 0 on failure; if the call fails,
|
|
+ * errno will be set and *name will be NULL.
|
|
+ */
|
|
+ extern int qpol_rolebounds_get_child_name(const qpol_policy_t *policy, const qpol_rolebounds_t *datum, const char **name);
|
|
+
|
|
+ /************ USERBOUNDS *************/
|
|
+ typedef struct qpol_userbounds qpol_userbounds_t;
|
|
+
|
|
+/**
|
|
+ * Get an iterator for the userbounds types in a policy.
|
|
+ * @param policy The policy from which to create the iterator.
|
|
+ * @param iter Iterator over items of type qpol_isid_t returned.
|
|
+ * The caller is responsible for calling qpol_iterator_destroy
|
|
+ * to free memory used by this iterator.
|
|
+ * It is important to note that this iterator is only valid as long
|
|
+ * as the policy is unmodified.
|
|
+ * @return 0 on success and < 0 on failure; if the call fails,
|
|
+ * errno will be set and *iter will be NULL.
|
|
+ */
|
|
+ extern int qpol_policy_get_userbounds_iter(const qpol_policy_t *policy, qpol_iterator_t **iter);
|
|
+
|
|
+
|
|
+/**
|
|
+ * Get the name which identifies a userbounds type from its datum.
|
|
+ * @param policy The policy with which the type bounds type is associated.
|
|
+ * @param datum userbounds datum for which to get the name. Must be non-NULL.
|
|
+ * @param name Pointer to the string in which to store the name.
|
|
+ * Must be non-NULL. The caller should not free the string.
|
|
+ * @return Returns 0 on success and < 0 on failure; if the call fails,
|
|
+ * errno will be set and *name will be NULL.
|
|
+ */
|
|
+ extern int qpol_userbounds_get_parent_name(const qpol_policy_t *policy, const qpol_userbounds_t *datum, const char **name);
|
|
+
|
|
+/**
|
|
+ * Get the name which identifies a userbounds type from its datum.
|
|
+ * @param policy The policy with which the type bounds type is associated.
|
|
+ * @param datum userbounds datum for which to get the name. Must be non-NULL.
|
|
+ * @param name Pointer to the string in which to store the name.
|
|
+ * Must be non-NULL. The caller should not free the string.
|
|
+ * @return Returns 0 on success and < 0 on failure; if the call fails,
|
|
+ * errno will be set and *name will be NULL.
|
|
+ */
|
|
+ extern int qpol_userbounds_get_child_name(const qpol_policy_t *policy, const qpol_userbounds_t *datum, const char **name);
|
|
+
|
|
+
|
|
+
|
|
+
|
|
+#ifdef __cplusplus
|
|
+}
|
|
+#endif
|
|
+
|
|
+#endif /* QPOL_BOUNDS_QUERY_H */
|
|
diff --git a/libqpol/include/qpol/default_object_query.h b/libqpol/include/qpol/default_object_query.h
|
|
new file mode 100644
|
|
index 0000000..e077287
|
|
--- /dev/null
|
|
+++ b/libqpol/include/qpol/default_object_query.h
|
|
@@ -0,0 +1,113 @@
|
|
+/**
|
|
+ * @file
|
|
+ * Defines the public interface for searching and iterating over default objects.
|
|
+ *
|
|
+ * @author Richard Haines richard_c_haines@btinternet.com
|
|
+ *
|
|
+ * Copyright (C) 2006-2009 Tresys Technology, LLC
|
|
+ *
|
|
+ * This library is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU Lesser General Public
|
|
+ * License as published by the Free Software Foundation; either
|
|
+ * version 2.1 of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This library is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
+ * Lesser General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU Lesser General Public
|
|
+ * License along with this library; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
+ */
|
|
+
|
|
+#ifndef QPOL_DEFAULT_OBJECT_QUERY_H
|
|
+#define QPOL_DEFAULT_OBJECT_QUERY_H
|
|
+
|
|
+#ifdef __cplusplus
|
|
+extern "C"
|
|
+{
|
|
+#endif
|
|
+
|
|
+#include <stddef.h>
|
|
+#include <stdint.h>
|
|
+#include <qpol/iterator.h>
|
|
+#include <qpol/policy.h>
|
|
+
|
|
+
|
|
+ typedef struct qpol_default_object qpol_default_object_t;
|
|
+
|
|
+/**
|
|
+ * Get an iterator for the default_object types in a policy.
|
|
+ * @param policy The policy from which to create the iterator.
|
|
+ * @param iter Iterator over items of type qpol_isid_t returned.
|
|
+ * The caller is responsible for calling qpol_iterator_destroy
|
|
+ * to free memory used by this iterator.
|
|
+ * It is important to note that this iterator is only valid as long
|
|
+ * as the policy is unmodified.
|
|
+ * @return 0 on success and < 0 on failure; if the call fails,
|
|
+ * errno will be set and *iter will be NULL.
|
|
+ */
|
|
+ extern int qpol_policy_get_default_object_iter(const qpol_policy_t *policy, qpol_iterator_t **iter);
|
|
+
|
|
+/**
|
|
+ * Get the name which identifies a default_object class from its datum.
|
|
+ * @param policy The policy with which class is associated.
|
|
+ * @param datum default_object datum for which to get the name. Must be non-NULL.
|
|
+ * @param name Pointer to the string in which to store the name.
|
|
+ * Must be non-NULL. The caller should not free the string.
|
|
+ * @return Returns 0 on success and < 0 on failure; if the call fails,
|
|
+ * errno will be set and *name will be NULL.
|
|
+ */
|
|
+ extern int qpol_default_object_get_class(const qpol_policy_t *policy, const qpol_default_object_t *datum, const char **name);
|
|
+
|
|
+/**
|
|
+ * Get the value of a default user source/dest from its datum.
|
|
+ * @param policy The policy with which the default object is associated.
|
|
+ * @param datum default_object datum for which to get the value. Must be non-NULL.
|
|
+ * @param default Pointer to the value in which to store the default.
|
|
+ * Must be non-NULL. The caller should not free the string.
|
|
+ * @return Returns 0 on success and < 0 on failure; if the call fails,
|
|
+ * errno will be set and *default will be 0.
|
|
+ */
|
|
+ extern int qpol_default_object_get_user_default(const qpol_policy_t *policy, const qpol_default_object_t *datum, const char **value);
|
|
+
|
|
+/**
|
|
+ * Get the value of a default role source/dest from its datum.
|
|
+ * @param policy The policy with which the default object type is associated.
|
|
+ * @param datum default_object datum for which to get the value. Must be non-NULL.
|
|
+ * @param default Pointer to the value in which to store the default.
|
|
+ * Must be non-NULL. The caller should not free the string.
|
|
+ * @return Returns 0 on success and < 0 on failure; if the call fails,
|
|
+ * errno will be set and *default will be 0.
|
|
+ */
|
|
+ extern int qpol_default_object_get_role_default(const qpol_policy_t *policy, const qpol_default_object_t *datum, const char **value);
|
|
+
|
|
+/**
|
|
+ * Get the value of a default type source/dest from its datum.
|
|
+ * @param policy The policy with which the default object type is associated.
|
|
+ * @param datum default_object datum for which to get the value. Must be non-NULL.
|
|
+ * @param default Pointer to the value in which to store the default.
|
|
+ * Must be non-NULL. The caller should not free the string.
|
|
+ * @return Returns 0 on success and < 0 on failure; if the call fails,
|
|
+ * errno will be set and *default will be 0.
|
|
+ */
|
|
+ extern int qpol_default_object_get_type_default(const qpol_policy_t *policy, const qpol_default_object_t *datum, const char **value);
|
|
+
|
|
+/**
|
|
+ * Get the value of a default range source/dest from its datum.
|
|
+ * @param policy The policy with which the default object type is associated.
|
|
+ * @param datum default_object datum for which to get the value. Must be non-NULL.
|
|
+ * @param default Pointer to the value in which to store the default.
|
|
+ * Must be non-NULL. The caller should not free the string.
|
|
+ * @return Returns 0 on success and < 0 on failure; if the call fails,
|
|
+ * errno will be set and *default will be 0.
|
|
+ */
|
|
+ extern int qpol_default_object_get_range_default(const qpol_policy_t *policy, const qpol_default_object_t *datum, const char **value);
|
|
+
|
|
+
|
|
+#ifdef __cplusplus
|
|
+}
|
|
+#endif
|
|
+
|
|
+#endif
|
|
diff --git a/libqpol/include/qpol/policy.h b/libqpol/include/qpol/policy.h
|
|
index bf85718..4e01cdb 100644
|
|
--- a/libqpol/include/qpol/policy.h
|
|
+++ b/libqpol/include/qpol/policy.h
|
|
@@ -52,6 +52,8 @@ extern "C"
|
|
#include <qpol/netifcon_query.h>
|
|
#include <qpol/nodecon_query.h>
|
|
#include <qpol/permissive_query.h>
|
|
+#include <qpol/bounds_query.h>
|
|
+#include <qpol/default_object_query.h>
|
|
#include <qpol/polcap_query.h>
|
|
#include <qpol/portcon_query.h>
|
|
#include <qpol/rbacrule_query.h>
|
|
@@ -117,7 +119,18 @@ extern "C"
|
|
/** The policy source may be displayed. */
|
|
QPOL_CAP_SOURCE,
|
|
/** The policy supports and was loaded with neverallow rules. */
|
|
- QPOL_CAP_NEVERALLOW
|
|
+ QPOL_CAP_NEVERALLOW,
|
|
+ /** The policy supports bounds rules. */
|
|
+ QPOL_CAP_BOUNDS,
|
|
+ /** The policy supports default object rules. */
|
|
+ QPOL_CAP_DEFAULT_OBJECTS,
|
|
+ QPOL_CAP_DEFAULT_TYPE,
|
|
+ /** The policy supports permissive types. */
|
|
+ QPOL_CAP_PERMISSIVE,
|
|
+ /** The policy supports filename type_transition rules. */
|
|
+ QPOL_CAP_FILENAME_TRANS,
|
|
+ /** The policy supports role transition rules. */
|
|
+ QPOL_CAP_ROLETRANS
|
|
} qpol_capability_e;
|
|
|
|
/**
|
|
@@ -255,6 +268,15 @@ extern "C"
|
|
*/
|
|
extern int qpol_policy_has_capability(const qpol_policy_t * policy, qpol_capability_e cap);
|
|
|
|
+/**
|
|
+ * Get the handle_unknown classes/perms flag for the policy.
|
|
+ * @param policy The policy for which to get the version.
|
|
+ * @param handle_unknown Pointer to the integer to set to the version number.
|
|
+ * @return Returns 0 on success and < 0 on failure; if the call fails,
|
|
+ * errno will be set and *handle_unknown will be 0.
|
|
+ */
|
|
+ extern int qpol_policy_get_policy_handle_unknown(const qpol_policy_t * policy, unsigned int *handle_unknown);
|
|
+
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
diff --git a/libqpol/include/qpol/rbacrule_query.h b/libqpol/include/qpol/rbacrule_query.h
|
|
index 342e597..cb26600 100644
|
|
--- a/libqpol/include/qpol/rbacrule_query.h
|
|
+++ b/libqpol/include/qpol/rbacrule_query.h
|
|
@@ -112,6 +112,17 @@ extern "C"
|
|
const qpol_type_t ** target);
|
|
|
|
/**
|
|
+ * Get the object class from a role transition rule.
|
|
+ * @param rule The rule from which to get the object class.
|
|
+ * @param obj_class Pointer in which to store the object class.
|
|
+ * The caller should not free this pointer.
|
|
+ * @return 0 on success and < 0 on failure; if the call fails,
|
|
+ * errno will be set and *target will be NULL.
|
|
+ */
|
|
+ extern int qpol_role_trans_get_object_class(const qpol_policy_t * policy, const qpol_role_trans_t * rule,
|
|
+ const qpol_class_t ** obj_class);
|
|
+
|
|
+/**
|
|
* Get the default role from a role transition rule.
|
|
* @param policy The policy from which the rule comes.
|
|
* @param rule The rule from which to get the default role.
|
|
diff --git a/libqpol/src/Makefile.am b/libqpol/src/Makefile.am
|
|
index 0889a61..77213f4 100644
|
|
--- a/libqpol/src/Makefile.am
|
|
+++ b/libqpol/src/Makefile.am
|
|
@@ -21,6 +21,7 @@ libqpol_a_SOURCES = \
|
|
cond_query.c \
|
|
constraint_query.c \
|
|
context_query.c \
|
|
+ default_object_query.c \
|
|
expand.c \
|
|
expand.h \
|
|
fs_use_query.c \
|
|
@@ -35,6 +36,7 @@ libqpol_a_SOURCES = \
|
|
netifcon_query.c \
|
|
nodecon_query.c \
|
|
permissive_query.c \
|
|
+ bounds_query.c \
|
|
polcap_query.c \
|
|
policy.c \
|
|
policy_define.c policy_define.h \
|
|
diff --git a/libqpol/src/bounds_query.c b/libqpol/src/bounds_query.c
|
|
new file mode 100644
|
|
index 0000000..c3eb020
|
|
--- /dev/null
|
|
+++ b/libqpol/src/bounds_query.c
|
|
@@ -0,0 +1,332 @@
|
|
+/**
|
|
+* @file
|
|
+* Defines the public interface for searching and iterating over the permissive types.
|
|
+*
|
|
+* @author Richard Haines richard_c_haines@btinternet.com
|
|
+*
|
|
+* Copyright (C) 2006-2007 Tresys Technology, LLC
|
|
+*
|
|
+* This library is free software; you can redistribute it and/or
|
|
+* modify it under the terms of the GNU Lesser General Public
|
|
+* License as published by the Free Software Foundation; either
|
|
+* version 2.1 of the License, or (at your option) any later version.
|
|
+*
|
|
+* This library is distributed in the hope that it will be useful,
|
|
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
+* Lesser General Public License for more details.
|
|
+*
|
|
+* You should have received a copy of the GNU Lesser General Public
|
|
+* License along with this library; if not, write to the Free Software
|
|
+* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
+*/
|
|
+
|
|
+#include <stddef.h>
|
|
+#include <stdlib.h>
|
|
+#include <stdint.h>
|
|
+#include <qpol/iterator.h>
|
|
+#include <qpol/policy.h>
|
|
+#include <qpol/bounds_query.h>
|
|
+#include <sepol/policydb/policydb.h>
|
|
+#include "qpol_internal.h"
|
|
+#include "iterator_internal.h"
|
|
+
|
|
+ /************ TYPEBOUNDS *************/
|
|
+int qpol_typebounds_get_parent_name(const qpol_policy_t *policy, const qpol_typebounds_t * datum, const char **name)
|
|
+{
|
|
+ type_datum_t *internal_datum = NULL;
|
|
+ policydb_t *db = NULL;
|
|
+
|
|
+ if (policy == NULL || datum == NULL || name == NULL) {
|
|
+ if (name != NULL)
|
|
+ *name = NULL;
|
|
+ ERR(policy, "%s", strerror(EINVAL));
|
|
+ errno = EINVAL;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+ *name = NULL;
|
|
+
|
|
+ /* The bounds rules started in ver 24 */
|
|
+ if (!qpol_policy_has_capability(policy, QPOL_CAP_BOUNDS))
|
|
+ return STATUS_SUCCESS;
|
|
+
|
|
+ db = &policy->p->p;
|
|
+ internal_datum = (type_datum_t *)datum;
|
|
+
|
|
+ /* This will be zero if not a typebounds statement */
|
|
+ if (internal_datum->flavor == TYPE_TYPE && internal_datum->bounds != 0) {
|
|
+ *name = db->p_type_val_to_name[internal_datum->bounds - 1];
|
|
+ }
|
|
+ return STATUS_SUCCESS;
|
|
+}
|
|
+
|
|
+int qpol_typebounds_get_child_name(const qpol_policy_t *policy, const qpol_typebounds_t * datum, const char **name)
|
|
+{
|
|
+ type_datum_t *internal_datum = NULL;
|
|
+ policydb_t *db = NULL;
|
|
+
|
|
+ if (policy == NULL || datum == NULL || name == NULL) {
|
|
+ if (name != NULL)
|
|
+ *name = NULL;
|
|
+ ERR(policy, "%s", strerror(EINVAL));
|
|
+ errno = EINVAL;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+ *name = NULL;
|
|
+
|
|
+ /* The bounds rules started in ver 24 */
|
|
+ if (!qpol_policy_has_capability(policy, QPOL_CAP_BOUNDS))
|
|
+ return STATUS_SUCCESS;
|
|
+
|
|
+ db = &policy->p->p;
|
|
+ internal_datum = (type_datum_t *)datum;
|
|
+
|
|
+ if (internal_datum->flavor == TYPE_TYPE && internal_datum->bounds != 0) {
|
|
+ *name = db->p_type_val_to_name[internal_datum->s.value - 1];
|
|
+ }
|
|
+ return STATUS_SUCCESS;
|
|
+}
|
|
+
|
|
+/* As type bounds are in types use these, however will need to calc number of bounds manually in top.tcl*/
|
|
+int qpol_policy_get_typebounds_iter(const qpol_policy_t *policy, qpol_iterator_t **iter)
|
|
+{
|
|
+ policydb_t *db;
|
|
+ int error = 0;
|
|
+ hash_state_t *hs = NULL;
|
|
+
|
|
+ if (policy == NULL || iter == NULL) {
|
|
+ if (iter != NULL)
|
|
+ *iter = NULL;
|
|
+ ERR(policy, "%s", strerror(EINVAL));
|
|
+ errno = EINVAL;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+
|
|
+ db = &policy->p->p;
|
|
+/*
|
|
+ struct type_datum *type;
|
|
+ size_t i;
|
|
+ int count = 0;
|
|
+
|
|
+ for (i = 0; i < db->p_types.nprim - 1; i++) {
|
|
+ type = db->type_val_to_struct[i];
|
|
+ if (type->flavor == TYPE_TYPE && type->bounds != 0) {
|
|
+ printf("PARENT DOMAIN: %s\n", db->p_type_val_to_name[type->bounds - 1]);
|
|
+ printf("CHILD NAME: %s\n", db->p_type_val_to_name[type->s.value - 1]);
|
|
+ count++;
|
|
+ }
|
|
+ }
|
|
+ printf("Type Bounds count: %d\n", count);
|
|
+*/
|
|
+ hs = calloc(1, sizeof(hash_state_t));
|
|
+ if (hs == NULL) {
|
|
+ error = errno;
|
|
+ ERR(policy, "%s", strerror(ENOMEM));
|
|
+ errno = error;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+ hs->table = &db->p_types.table;
|
|
+ hs->node = (*(hs->table))->htable[0];
|
|
+
|
|
+ if (qpol_iterator_create(policy, (void *)hs, hash_state_get_cur,
|
|
+ hash_state_next, hash_state_end, hash_state_size, free, iter)) {
|
|
+ free(hs);
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+
|
|
+ if (hs->node == NULL)
|
|
+ hash_state_next(*iter);
|
|
+
|
|
+ return STATUS_SUCCESS;
|
|
+}
|
|
+
|
|
+ /************ ROLEBOUNDS *************/
|
|
+int qpol_rolebounds_get_parent_name(const qpol_policy_t *policy, const qpol_rolebounds_t * datum, const char **name)
|
|
+{
|
|
+ role_datum_t *internal_datum = NULL;
|
|
+ policydb_t *db = NULL;
|
|
+
|
|
+ if (policy == NULL || datum == NULL || name == NULL) {
|
|
+ if (name != NULL)
|
|
+ *name = NULL;
|
|
+ ERR(policy, "%s", strerror(EINVAL));
|
|
+ errno = EINVAL;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+ *name = NULL;
|
|
+
|
|
+ /* The bounds rules started in ver 24 */
|
|
+ if (!qpol_policy_has_capability(policy, QPOL_CAP_BOUNDS))
|
|
+ return STATUS_SUCCESS;
|
|
+
|
|
+ db = &policy->p->p;
|
|
+ internal_datum = (role_datum_t *)datum;
|
|
+
|
|
+ /* This will be zero if not a rolebounds statement */
|
|
+ if (internal_datum->flavor == ROLE_ROLE && internal_datum->bounds != 0) {
|
|
+ *name = db->p_role_val_to_name[internal_datum->bounds - 1];
|
|
+ }
|
|
+ return STATUS_SUCCESS;
|
|
+}
|
|
+
|
|
+int qpol_rolebounds_get_child_name(const qpol_policy_t *policy, const qpol_rolebounds_t * datum, const char **name)
|
|
+{
|
|
+ role_datum_t *internal_datum = NULL;
|
|
+ policydb_t *db = NULL;
|
|
+
|
|
+ if (policy == NULL || datum == NULL || name == NULL) {
|
|
+ if (name != NULL)
|
|
+ *name = NULL;
|
|
+ ERR(policy, "%s", strerror(EINVAL));
|
|
+ errno = EINVAL;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+ *name = NULL;
|
|
+
|
|
+ /* The bounds rules started in ver 24 */
|
|
+ if (!qpol_policy_has_capability(policy, QPOL_CAP_BOUNDS))
|
|
+ return STATUS_SUCCESS;
|
|
+
|
|
+ db = &policy->p->p;
|
|
+ internal_datum = (role_datum_t *)datum;
|
|
+
|
|
+ if (internal_datum->flavor == ROLE_ROLE && internal_datum->bounds != 0) {
|
|
+ *name = db->p_role_val_to_name[internal_datum->s.value - 1];
|
|
+ }
|
|
+ return STATUS_SUCCESS;
|
|
+}
|
|
+
|
|
+/* As rolebounds are in roles use these, however will need to calc number of bounds manually in top.tcl*/
|
|
+int qpol_policy_get_rolebounds_iter(const qpol_policy_t *policy, qpol_iterator_t **iter)
|
|
+{
|
|
+ policydb_t *db;
|
|
+ int error = 0;
|
|
+ hash_state_t *hs = NULL;
|
|
+
|
|
+ if (policy == NULL || iter == NULL) {
|
|
+ if (iter != NULL)
|
|
+ *iter = NULL;
|
|
+ ERR(policy, "%s", strerror(EINVAL));
|
|
+ errno = EINVAL;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+
|
|
+ db = &policy->p->p;
|
|
+
|
|
+ hs = calloc(1, sizeof(hash_state_t));
|
|
+ if (hs == NULL) {
|
|
+ error = errno;
|
|
+ ERR(policy, "%s", strerror(ENOMEM));
|
|
+ errno = error;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+ hs->table = &db->p_roles.table;
|
|
+ hs->node = (*(hs->table))->htable[0];
|
|
+
|
|
+ if (qpol_iterator_create(policy, (void *)hs, hash_state_get_cur,
|
|
+ hash_state_next, hash_state_end, hash_state_size, free, iter)) {
|
|
+ free(hs);
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+
|
|
+ if (hs->node == NULL)
|
|
+ hash_state_next(*iter);
|
|
+
|
|
+ return STATUS_SUCCESS;
|
|
+}
|
|
+
|
|
+ /************ USERBOUNDS *************/
|
|
+int qpol_userbounds_get_parent_name(const qpol_policy_t *policy, const qpol_userbounds_t * datum, const char **name)
|
|
+{
|
|
+ user_datum_t *internal_datum = NULL;
|
|
+ policydb_t *db = NULL;
|
|
+
|
|
+ if (policy == NULL || datum == NULL || name == NULL) {
|
|
+ if (name != NULL)
|
|
+ *name = NULL;
|
|
+ ERR(policy, "%s", strerror(EINVAL));
|
|
+ errno = EINVAL;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+ *name = NULL;
|
|
+
|
|
+ /* The bounds rules started in ver 24 */
|
|
+ if (!qpol_policy_has_capability(policy, QPOL_CAP_BOUNDS))
|
|
+ return STATUS_SUCCESS;
|
|
+
|
|
+ db = &policy->p->p;
|
|
+ internal_datum = (user_datum_t *)datum;
|
|
+
|
|
+ /* This will be zero if not a userbounds statement */
|
|
+ if (internal_datum->bounds != 0) {
|
|
+ *name = db->p_user_val_to_name[internal_datum->bounds - 1];
|
|
+ }
|
|
+ return STATUS_SUCCESS;
|
|
+}
|
|
+
|
|
+int qpol_userbounds_get_child_name(const qpol_policy_t *policy, const qpol_userbounds_t * datum, const char **name)
|
|
+{
|
|
+ user_datum_t *internal_datum = NULL;
|
|
+ policydb_t *db = NULL;
|
|
+
|
|
+ if (policy == NULL || datum == NULL || name == NULL) {
|
|
+ if (name != NULL)
|
|
+ *name = NULL;
|
|
+ ERR(policy, "%s", strerror(EINVAL));
|
|
+ errno = EINVAL;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+ *name = NULL;
|
|
+
|
|
+ /* The bounds rules started in ver 24 */
|
|
+ if (!qpol_policy_has_capability(policy, QPOL_CAP_BOUNDS))
|
|
+ return STATUS_SUCCESS;
|
|
+
|
|
+ db = &policy->p->p;
|
|
+ internal_datum = (user_datum_t *)datum;
|
|
+
|
|
+ if (internal_datum->bounds != 0) {
|
|
+ *name = db->p_user_val_to_name[internal_datum->s.value - 1];
|
|
+ }
|
|
+ return STATUS_SUCCESS;
|
|
+}
|
|
+
|
|
+/* As userbounds are in users use these, however will need to calc number of bounds manually in top.tcl*/
|
|
+int qpol_policy_get_userbounds_iter(const qpol_policy_t *policy, qpol_iterator_t **iter)
|
|
+{
|
|
+ policydb_t *db;
|
|
+ int error = 0;
|
|
+ hash_state_t *hs = NULL;
|
|
+
|
|
+ if (policy == NULL || iter == NULL) {
|
|
+ if (iter != NULL)
|
|
+ *iter = NULL;
|
|
+ ERR(policy, "%s", strerror(EINVAL));
|
|
+ errno = EINVAL;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+
|
|
+ db = &policy->p->p;
|
|
+
|
|
+ hs = calloc(1, sizeof(hash_state_t));
|
|
+ if (hs == NULL) {
|
|
+ error = errno;
|
|
+ ERR(policy, "%s", strerror(ENOMEM));
|
|
+ errno = error;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+ hs->table = &db->p_users.table;
|
|
+ hs->node = (*(hs->table))->htable[0];
|
|
+
|
|
+ if (qpol_iterator_create(policy, (void *)hs, hash_state_get_cur,
|
|
+ hash_state_next, hash_state_end, hash_state_size, free, iter)) {
|
|
+ free(hs);
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+
|
|
+ if (hs->node == NULL)
|
|
+ hash_state_next(*iter);
|
|
+
|
|
+ return STATUS_SUCCESS;
|
|
+}
|
|
+
|
|
diff --git a/libqpol/src/constraint_query.c b/libqpol/src/constraint_query.c
|
|
index 1545ad7..28111b7 100644
|
|
--- a/libqpol/src/constraint_query.c
|
|
+++ b/libqpol/src/constraint_query.c
|
|
@@ -778,9 +778,16 @@ int qpol_constraint_expr_node_get_names_iter(const qpol_policy_t * policy, const
|
|
errno = ENOMEM;
|
|
return STATUS_ERR;
|
|
}
|
|
+
|
|
+ int policy_version;
|
|
+ if (qpol_policy_get_policy_version(policy, &policy_version))
|
|
+ return STATUS_ERR;
|
|
+
|
|
if (internal_expr->attr & QPOL_CEXPR_SYM_TYPE) {
|
|
- if (policy_type == QPOL_POLICY_KERNEL_BINARY) {
|
|
+ if (policy_type == QPOL_POLICY_KERNEL_BINARY && policy_version <= 28) {
|
|
cns->inc = &(internal_expr->names);
|
|
+ } else if (policy_type == QPOL_POLICY_KERNEL_BINARY && policy_version > 28) {
|
|
+ cns->inc = &(internal_expr->type_names->types);
|
|
} else {
|
|
cns->inc = &(internal_expr->type_names->types);
|
|
cns->sub = &(internal_expr->type_names->negset);
|
|
diff --git a/libqpol/src/default_object_query.c b/libqpol/src/default_object_query.c
|
|
new file mode 100644
|
|
index 0000000..4143674
|
|
--- /dev/null
|
|
+++ b/libqpol/src/default_object_query.c
|
|
@@ -0,0 +1,281 @@
|
|
+/**
|
|
+* @file
|
|
+* Defines the public interface for searching and iterating over default objects.
|
|
+*
|
|
+* @author Richard Haines richard_c_haines@btinternet.com
|
|
+*
|
|
+* Copyright (C) 2006-2007 Tresys Technology, LLC
|
|
+*
|
|
+* This library is free software; you can redistribute it and/or
|
|
+* modify it under the terms of the GNU Lesser General Public
|
|
+* License as published by the Free Software Foundation; either
|
|
+* version 2.1 of the License, or (at your option) any later version.
|
|
+*
|
|
+* This library is distributed in the hope that it will be useful,
|
|
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
+* Lesser General Public License for more details.
|
|
+*
|
|
+* You should have received a copy of the GNU Lesser General Public
|
|
+* License along with this library; if not, write to the Free Software
|
|
+* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
+*/
|
|
+
|
|
+#include <stddef.h>
|
|
+#include <stdlib.h>
|
|
+#include <stdint.h>
|
|
+#include <qpol/iterator.h>
|
|
+#include <qpol/policy.h>
|
|
+#include <qpol/default_object_query.h>
|
|
+#include <sepol/policydb/policydb.h>
|
|
+#include "qpol_internal.h"
|
|
+#include "iterator_internal.h"
|
|
+
|
|
+int qpol_default_object_get_class(const qpol_policy_t *policy, const qpol_default_object_t * datum, const char **name)
|
|
+{
|
|
+ class_datum_t *internal_datum = NULL;
|
|
+ policydb_t *db = NULL;
|
|
+
|
|
+ if (policy == NULL || datum == NULL || name == NULL) {
|
|
+ if (name != NULL)
|
|
+ *name = NULL;
|
|
+ ERR(policy, "%s", strerror(EINVAL));
|
|
+ errno = EINVAL;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+ *name = NULL;
|
|
+
|
|
+ db = &policy->p->p;
|
|
+ internal_datum = (class_datum_t *)datum;
|
|
+
|
|
+ /* These will be zero if no default_objects set */
|
|
+ if (internal_datum->default_user || internal_datum->default_role ||
|
|
+ internal_datum->default_type ||
|
|
+ internal_datum->default_range) {
|
|
+ *name = db->p_class_val_to_name[internal_datum->s.value - 1];
|
|
+ }
|
|
+ return STATUS_SUCCESS;
|
|
+}
|
|
+
|
|
+int qpol_default_object_get_user_default(const qpol_policy_t *policy, const qpol_default_object_t * datum, const char **value)
|
|
+{
|
|
+ class_datum_t *internal_datum = NULL;
|
|
+ policydb_t *db = NULL;
|
|
+
|
|
+ if (policy == NULL || datum == NULL || value == NULL) {
|
|
+ if (value != NULL)
|
|
+ *value = NULL;
|
|
+ ERR(policy, "%s", strerror(EINVAL));
|
|
+ errno = EINVAL;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+ *value = NULL;
|
|
+
|
|
+ /* The user default started in ver 27 */
|
|
+ if (!qpol_policy_has_capability(policy, QPOL_CAP_DEFAULT_OBJECTS))
|
|
+ return STATUS_SUCCESS;
|
|
+
|
|
+ db = &policy->p->p;
|
|
+ internal_datum = (class_datum_t *)datum;
|
|
+
|
|
+ if (internal_datum->default_user == DEFAULT_SOURCE) {
|
|
+ *value = "source";
|
|
+ } else if (internal_datum->default_user == DEFAULT_TARGET) {
|
|
+ *value = "target";
|
|
+ }
|
|
+ return STATUS_SUCCESS;
|
|
+}
|
|
+
|
|
+int qpol_default_object_get_role_default(const qpol_policy_t *policy, const qpol_default_object_t * datum, const char **value)
|
|
+{
|
|
+ class_datum_t *internal_datum = NULL;
|
|
+ policydb_t *db = NULL;
|
|
+
|
|
+ if (policy == NULL || datum == NULL || value == NULL) {
|
|
+ if (value != NULL)
|
|
+ *value = NULL;
|
|
+ ERR(policy, "%s", strerror(EINVAL));
|
|
+ errno = EINVAL;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+ *value = NULL;
|
|
+
|
|
+ /* The role default started in ver 27 */
|
|
+ if (!qpol_policy_has_capability(policy, QPOL_CAP_DEFAULT_OBJECTS))
|
|
+ return STATUS_SUCCESS;
|
|
+
|
|
+ db = &policy->p->p;
|
|
+ internal_datum = (class_datum_t *)datum;
|
|
+
|
|
+ if (internal_datum->default_role == DEFAULT_SOURCE) {
|
|
+ *value = "source";
|
|
+ } else if (internal_datum->default_role == DEFAULT_TARGET) {
|
|
+ *value = "target";
|
|
+ }
|
|
+ return STATUS_SUCCESS;
|
|
+}
|
|
+
|
|
+int qpol_default_object_get_type_default(const qpol_policy_t *policy, const qpol_default_object_t * datum, const char **value)
|
|
+{
|
|
+ class_datum_t *internal_datum = NULL;
|
|
+ policydb_t *db = NULL;
|
|
+
|
|
+ if (policy == NULL || datum == NULL || value == NULL) {
|
|
+ if (value != NULL)
|
|
+ *value = NULL;
|
|
+ ERR(policy, "%s", strerror(EINVAL));
|
|
+ errno = EINVAL;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+ *value = NULL;
|
|
+
|
|
+ /* The type default started in ver 28 */
|
|
+ if (!qpol_policy_has_capability(policy, QPOL_CAP_DEFAULT_TYPE))
|
|
+ return STATUS_SUCCESS;
|
|
+
|
|
+ db = &policy->p->p;
|
|
+ internal_datum = (class_datum_t *)datum;
|
|
+
|
|
+ if (internal_datum->default_type == DEFAULT_SOURCE) {
|
|
+ *value = "source";
|
|
+ } else if (internal_datum->default_type == DEFAULT_TARGET) {
|
|
+ *value = "target";
|
|
+ }
|
|
+ return STATUS_SUCCESS;
|
|
+}
|
|
+
|
|
+int qpol_default_object_get_range_default(const qpol_policy_t *policy, const qpol_default_object_t * datum, const char **value)
|
|
+{
|
|
+ class_datum_t *internal_datum = NULL;
|
|
+ policydb_t *db = NULL;
|
|
+
|
|
+ if (policy == NULL || datum == NULL || value == NULL) {
|
|
+ if (value != NULL)
|
|
+ *value = NULL;
|
|
+ ERR(policy, "%s", strerror(EINVAL));
|
|
+ errno = EINVAL;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+ *value = NULL;
|
|
+
|
|
+ /* The range default started in ver 27 */
|
|
+ int policy_version;
|
|
+ if (!qpol_policy_has_capability(policy, QPOL_CAP_DEFAULT_OBJECTS))
|
|
+ return STATUS_SUCCESS;
|
|
+
|
|
+ db = &policy->p->p;
|
|
+ internal_datum = (class_datum_t *)datum;
|
|
+
|
|
+ switch (internal_datum->default_range) {
|
|
+ case DEFAULT_SOURCE_LOW:
|
|
+ *value = "source low";
|
|
+ break;
|
|
+ case DEFAULT_SOURCE_HIGH:
|
|
+ *value = "source high";
|
|
+ break;
|
|
+ case DEFAULT_SOURCE_LOW_HIGH:
|
|
+ *value = "source low_high";
|
|
+ break;
|
|
+ case DEFAULT_TARGET_LOW:
|
|
+ *value = "target low";
|
|
+ break;
|
|
+ case DEFAULT_TARGET_HIGH:
|
|
+ *value = "target high";
|
|
+ break;
|
|
+ case DEFAULT_TARGET_LOW_HIGH:
|
|
+ *value = "target low_high";
|
|
+ break;
|
|
+ default:
|
|
+ break;
|
|
+ }
|
|
+ return STATUS_SUCCESS;
|
|
+}
|
|
+
|
|
+/* As default objects are in classes use these, however will need to calc number of default objects manually in top.tcl*/
|
|
+int qpol_policy_get_default_object_iter(const qpol_policy_t *policy, qpol_iterator_t **iter)
|
|
+{
|
|
+ policydb_t *db;
|
|
+ int error = 0;
|
|
+ hash_state_t *hs = NULL;
|
|
+
|
|
+ if (policy == NULL || iter == NULL) {
|
|
+ if (iter != NULL)
|
|
+ *iter = NULL;
|
|
+ ERR(policy, "%s", strerror(EINVAL));
|
|
+ errno = EINVAL;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+
|
|
+ db = &policy->p->p;
|
|
+/*
|
|
+ class_datum_t *cladatum;
|
|
+ sepol_security_class_t tclass;
|
|
+ char *class;
|
|
+
|
|
+ for (tclass = 1; tclass <= db->p_classes.nprim; tclass++) {
|
|
+ cladatum = db->class_val_to_struct[tclass - 1];
|
|
+ class = db->p_class_val_to_name[tclass - 1];
|
|
+
|
|
+ if (cladatum->default_user == DEFAULT_SOURCE) {
|
|
+ printf("default_user %s source;\n", class);
|
|
+ } else if (cladatum->default_user == DEFAULT_TARGET) {
|
|
+ printf("default_user %s target;\n", class);
|
|
+ }
|
|
+
|
|
+ if (cladatum->default_role == DEFAULT_SOURCE) {
|
|
+ printf("default_role %s source;\n", class);
|
|
+ } else if (cladatum->default_role == DEFAULT_TARGET) {
|
|
+ printf("default_role %s target;\n", class);
|
|
+ }
|
|
+
|
|
+ if (cladatum->default_type == DEFAULT_SOURCE) {
|
|
+ printf("default_type %s source;\n", class);
|
|
+ } else if (cladatum->default_type == DEFAULT_TARGET) {
|
|
+ printf("default_type %s target;\n", class);
|
|
+ }
|
|
+
|
|
+ switch (cladatum->default_range) {
|
|
+ case DEFAULT_SOURCE_LOW:
|
|
+ printf("default_range %s source low;\n", class);
|
|
+ break;
|
|
+ case DEFAULT_SOURCE_HIGH:
|
|
+ printf("default_range %s source high;\n", class);
|
|
+ break;
|
|
+ case DEFAULT_SOURCE_LOW_HIGH:
|
|
+ printf("default_range %s source low_high;\n", class);
|
|
+ break;
|
|
+ case DEFAULT_TARGET_LOW:
|
|
+ printf("default_range %s target low;\n", class);
|
|
+ break;
|
|
+ case DEFAULT_TARGET_HIGH:
|
|
+ printf("default_range %s target high;\n", class);
|
|
+ break;
|
|
+ case DEFAULT_TARGET_LOW_HIGH:
|
|
+ printf("default_range %s target low_high;\n", class);
|
|
+ break;
|
|
+ default:
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+*/
|
|
+ hs = calloc(1, sizeof(hash_state_t));
|
|
+ if (hs == NULL) {
|
|
+ error = errno;
|
|
+ ERR(policy, "%s", strerror(ENOMEM));
|
|
+ errno = error;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+ hs->table = &db->p_classes.table;
|
|
+ hs->node = (*(hs->table))->htable[0];
|
|
+
|
|
+ if (qpol_iterator_create(policy, (void *)hs, hash_state_get_cur,
|
|
+ hash_state_next, hash_state_end, hash_state_size, free, iter)) {
|
|
+ free(hs);
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+
|
|
+ if (hs->node == NULL)
|
|
+ hash_state_next(*iter);
|
|
+
|
|
+ return STATUS_SUCCESS;
|
|
+}
|
|
diff --git a/libqpol/src/libqpol.map b/libqpol/src/libqpol.map
|
|
index 6973cca..1e80308 100644
|
|
--- a/libqpol/src/libqpol.map
|
|
+++ b/libqpol/src/libqpol.map
|
|
@@ -63,12 +63,17 @@ VERS_1.3 {
|
|
VERS_1.4 {
|
|
global:
|
|
qpol_type_get_ispermissive;
|
|
+ qpol_type_get_parent_name;
|
|
} VERS_1.3;
|
|
|
|
VERS_1.5 {
|
|
global:
|
|
qpol_policy_permissive_*;
|
|
qpol_permissive_*;
|
|
+ qpol_typebounds_*;
|
|
+ qpol_rolebounds_*;
|
|
+ qpol_userbounds_*;
|
|
qpol_policy_polcap_*;
|
|
qpol_polcap_*;
|
|
+ qpol_default_object_*;
|
|
} VERS_1.4;
|
|
diff --git a/libqpol/src/module_compiler.c b/libqpol/src/module_compiler.c
|
|
index b06e285..b00d97e 100644
|
|
--- a/libqpol/src/module_compiler.c
|
|
+++ b/libqpol/src/module_compiler.c
|
|
@@ -14,6 +14,7 @@
|
|
* the Free Software Foundation, version 2.
|
|
*/
|
|
|
|
+/* Required for SETools libqpol services */
|
|
#include <config.h>
|
|
|
|
#include <assert.h>
|
|
@@ -28,21 +29,19 @@
|
|
#include "queue.h"
|
|
#include "module_compiler.h"
|
|
|
|
-union stack_item_u
|
|
-{
|
|
+union stack_item_u {
|
|
avrule_block_t *avrule;
|
|
cond_list_t *cond_list;
|
|
};
|
|
|
|
-typedef struct scope_stack
|
|
-{
|
|
+typedef struct scope_stack {
|
|
union stack_item_u u;
|
|
- int type; /* for above union: 1 = avrule block, 2 = conditional */
|
|
- avrule_decl_t *decl; /* if in an avrule block, which
|
|
- * declaration is current */
|
|
+ int type; /* for above union: 1 = avrule block, 2 = conditional */
|
|
+ avrule_decl_t *decl; /* if in an avrule block, which
|
|
+ * declaration is current */
|
|
avrule_t *last_avrule;
|
|
- int in_else; /* if in an avrule block, within ELSE branch */
|
|
- int require_given; /* 1 if this block had at least one require */
|
|
+ int in_else; /* if in an avrule block, within ELSE branch */
|
|
+ int require_given; /* 1 if this block had at least one require */
|
|
struct scope_stack *parent, *child;
|
|
} scope_stack_t;
|
|
|
|
@@ -65,7 +64,8 @@ int define_policy(int pass, int module_header_given)
|
|
|
|
if (module_header_given) {
|
|
if (policydbp->policy_type != POLICY_MOD) {
|
|
- yyerror("Module specification found while not building a policy module.\n");
|
|
+ yyerror
|
|
+ ("Module specification found while not building a policy module.\n");
|
|
return -1;
|
|
}
|
|
|
|
@@ -79,14 +79,17 @@ int define_policy(int pass, int module_header_given)
|
|
return -1;
|
|
}
|
|
policydbp->name = id;
|
|
- if ((policydbp->version = queue_remove(id_queue)) == NULL) {
|
|
- yyerror("Expected a module version but none was found.");
|
|
+ if ((policydbp->version =
|
|
+ queue_remove(id_queue)) == NULL) {
|
|
+ yyerror
|
|
+ ("Expected a module version but none was found.");
|
|
return -1;
|
|
}
|
|
}
|
|
} else {
|
|
if (policydbp->policy_type == POLICY_MOD) {
|
|
- yyerror("Building a policy module, but no module specification found.\n");
|
|
+ yyerror
|
|
+ ("Building a policy module, but no module specification found.\n");
|
|
return -1;
|
|
}
|
|
}
|
|
@@ -98,7 +101,8 @@ int define_policy(int pass, int module_header_given)
|
|
while (stack_top != NULL) {
|
|
pop_stack();
|
|
}
|
|
- if (push_stack(1, policydbp->global, policydbp->global->branch_list) == -1) {
|
|
+ if (push_stack(1, policydbp->global, policydbp->global->branch_list) ==
|
|
+ -1) {
|
|
return -1;
|
|
}
|
|
last_block = policydbp->global;
|
|
@@ -127,7 +131,9 @@ static int is_declaration_allowed(void)
|
|
* For duplicate declarations return -2. For all else, including out
|
|
* of memory, return -3. Note that dest_value and datum_value might
|
|
* not be restricted pointers. */
|
|
-int declare_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datum, uint32_t * dest_value, uint32_t * datum_value)
|
|
+int declare_symbol(uint32_t symbol_type,
|
|
+ hashtab_key_t key, hashtab_datum_t datum,
|
|
+ uint32_t * dest_value, uint32_t * datum_value)
|
|
{
|
|
avrule_decl_t *decl = stack_top->decl;
|
|
int retval;
|
|
@@ -136,14 +142,17 @@ int declare_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datu
|
|
if (!is_declaration_allowed()) {
|
|
return -1;
|
|
}
|
|
- retval = symtab_insert(policydbp, symbol_type, key, datum, SCOPE_DECL, decl->decl_id, dest_value);
|
|
+ retval = symtab_insert(policydbp, symbol_type, key, datum,
|
|
+ SCOPE_DECL, decl->decl_id, dest_value);
|
|
if (retval == 1 && dest_value) {
|
|
- symtab_datum_t *s = (symtab_datum_t *) hashtab_search(policydbp->symtab[symbol_type].table,
|
|
- key);
|
|
+ symtab_datum_t *s =
|
|
+ (symtab_datum_t *) hashtab_search(policydbp->
|
|
+ symtab[symbol_type].table,
|
|
+ key);
|
|
assert(s != NULL);
|
|
-
|
|
+
|
|
if (symbol_type == SYM_LEVELS) {
|
|
- *dest_value = ((level_datum_t *) s)->level->sens;
|
|
+ *dest_value = ((level_datum_t *)s)->level->sens;
|
|
} else {
|
|
*dest_value = s->value;
|
|
}
|
|
@@ -151,35 +160,38 @@ int declare_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datu
|
|
return -2;
|
|
} else if (retval < 0) {
|
|
return -3;
|
|
- } else { /* fall through possible if retval is 0 */
|
|
+ } else { /* fall through possible if retval is 0 */
|
|
}
|
|
if (datum_value != NULL) {
|
|
- if (ebitmap_set_bit(decl->declared.scope + symbol_type, *datum_value - 1, 1)) {
|
|
+ if (ebitmap_set_bit(decl->declared.scope + symbol_type,
|
|
+ *datum_value - 1, 1)) {
|
|
return -3;
|
|
}
|
|
}
|
|
return retval;
|
|
}
|
|
|
|
-static int role_implicit_bounds(hashtab_t roles_tab, char *role_id, role_datum_t * role)
|
|
+static int role_implicit_bounds(hashtab_t roles_tab,
|
|
+ char *role_id, role_datum_t *role)
|
|
{
|
|
role_datum_t *bounds;
|
|
char *bounds_id, *delim;
|
|
|
|
delim = strrchr(role_id, '.');
|
|
if (!delim)
|
|
- return 0; /* no implicit boundary */
|
|
+ return 0; /* no implicit boundary */
|
|
|
|
bounds_id = strdup(role_id);
|
|
if (!bounds_id) {
|
|
yyerror("out of memory");
|
|
return -1;
|
|
}
|
|
- bounds_id[(size_t) (delim - role_id)] = '\0';
|
|
+ bounds_id[(size_t)(delim - role_id)] = '\0';
|
|
|
|
bounds = hashtab_search(roles_tab, bounds_id);
|
|
if (!bounds) {
|
|
- yyerror2("role %s doesn't exist, is implicit bounds of %s", bounds_id, role_id);
|
|
+ yyerror2("role %s doesn't exist, is implicit bounds of %s",
|
|
+ bounds_id, role_id);
|
|
return -1;
|
|
}
|
|
|
|
@@ -187,7 +199,8 @@ static int role_implicit_bounds(hashtab_t roles_tab, char *role_id, role_datum_t
|
|
role->bounds = bounds->s.value;
|
|
else if (role->bounds != bounds->s.value) {
|
|
yyerror2("role %s has inconsistent bounds %s/%s",
|
|
- role_id, bounds_id, policydbp->p_role_val_to_name[role->bounds - 1]);
|
|
+ role_id, bounds_id,
|
|
+ policydbp->p_role_val_to_name[role->bounds - 1]);
|
|
return -1;
|
|
}
|
|
free(bounds_id);
|
|
@@ -195,7 +208,7 @@ static int role_implicit_bounds(hashtab_t roles_tab, char *role_id, role_datum_t
|
|
return 0;
|
|
}
|
|
|
|
-role_datum_t *declare_role(void)
|
|
+role_datum_t *declare_role(unsigned char isattr)
|
|
{
|
|
char *id = queue_remove(id_queue), *dest_id = NULL;
|
|
role_datum_t *role = NULL, *dest_role = NULL;
|
|
@@ -212,8 +225,10 @@ role_datum_t *declare_role(void)
|
|
return NULL;
|
|
}
|
|
role_datum_init(role);
|
|
-
|
|
- retval = declare_symbol(SYM_ROLES, id, (hashtab_datum_t *) role, &value, &value);
|
|
+ role->flavor = isattr ? ROLE_ATTRIB : ROLE_ROLE;
|
|
+ retval =
|
|
+ declare_symbol(SYM_ROLES, id, (hashtab_datum_t *) role, &value,
|
|
+ &value);
|
|
if (retval == 0) {
|
|
role->s.value = value;
|
|
if ((dest_id = strdup(id)) == NULL) {
|
|
@@ -238,13 +253,16 @@ role_datum_t *declare_role(void)
|
|
}
|
|
dest_role = (role_datum_t *) hashtab_search(roles_tab, dest_id);
|
|
if (dest_role == NULL) {
|
|
- if ((dest_role = (role_datum_t *) malloc(sizeof(*dest_role))) == NULL) {
|
|
+ if ((dest_role =
|
|
+ (role_datum_t *) malloc(sizeof(*dest_role))) ==
|
|
+ NULL) {
|
|
yyerror("Out of memory!");
|
|
free(dest_id);
|
|
return NULL;
|
|
}
|
|
role_datum_init(dest_role);
|
|
dest_role->s.value = value;
|
|
+ dest_role->flavor = isattr ? ROLE_ATTRIB : ROLE_ROLE;
|
|
if (role_implicit_bounds(roles_tab, dest_id, dest_role)) {
|
|
free(dest_id);
|
|
role_datum_destroy(dest_role);
|
|
@@ -266,30 +284,31 @@ role_datum_t *declare_role(void)
|
|
}
|
|
switch (retval) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- return NULL;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ return NULL;
|
|
+ }
|
|
case -2:{
|
|
- yyerror("duplicate declaration of role");
|
|
- return NULL;
|
|
- }
|
|
+ yyerror("duplicate declaration of role");
|
|
+ return NULL;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not declare role here");
|
|
- return NULL;
|
|
- }
|
|
- case 0:{
|
|
- if (ebitmap_set_bit(&dest_role->dominates, role->s.value - 1, 1)) {
|
|
- yyerror("out of memory");
|
|
+ yyerror("could not declare role here");
|
|
return NULL;
|
|
}
|
|
- return dest_role;
|
|
- }
|
|
+ case 0:{
|
|
+ if (ebitmap_set_bit
|
|
+ (&dest_role->dominates, role->s.value - 1, 1)) {
|
|
+ yyerror("out of memory");
|
|
+ return NULL;
|
|
+ }
|
|
+ return dest_role;
|
|
+ }
|
|
case 1:{
|
|
- return dest_role; /* role already declared for this block */
|
|
- }
|
|
+ return dest_role; /* role already declared for this block */
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
}
|
|
|
|
@@ -306,7 +325,8 @@ type_datum_t *declare_type(unsigned char primary, unsigned char isattr)
|
|
return NULL;
|
|
}
|
|
if (strcmp(id, "self") == 0) {
|
|
- yyerror("'self' is a reserved type name and may not be declared.");
|
|
+ yyerror
|
|
+ ("'self' is a reserved type name and may not be declared.");
|
|
free(id);
|
|
return NULL;
|
|
}
|
|
@@ -334,46 +354,48 @@ type_datum_t *declare_type(unsigned char primary, unsigned char isattr)
|
|
}
|
|
switch (retval) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- return NULL;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ return NULL;
|
|
+ }
|
|
case -2:{
|
|
- yyerror2("duplicate declaration of type/attribute");
|
|
- return NULL;
|
|
- }
|
|
+ yyerror2("duplicate declaration of type/attribute");
|
|
+ return NULL;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not declare type/attribute here");
|
|
- return NULL;
|
|
- }
|
|
+ yyerror("could not declare type/attribute here");
|
|
+ return NULL;
|
|
+ }
|
|
case 0:
|
|
case 1:{
|
|
- return typdatum;
|
|
- }
|
|
+ return typdatum;
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
}
|
|
|
|
-static int user_implicit_bounds(hashtab_t users_tab, char *user_id, user_datum_t * user)
|
|
+static int user_implicit_bounds(hashtab_t users_tab,
|
|
+ char *user_id, user_datum_t *user)
|
|
{
|
|
user_datum_t *bounds;
|
|
char *bounds_id, *delim;
|
|
|
|
delim = strrchr(user_id, '.');
|
|
if (!delim)
|
|
- return 0; /* no implicit boundary */
|
|
+ return 0; /* no implicit boundary */
|
|
|
|
bounds_id = strdup(user_id);
|
|
if (!bounds_id) {
|
|
yyerror("out of memory");
|
|
return -1;
|
|
}
|
|
- bounds_id[(size_t) (delim - user_id)] = '\0';
|
|
+ bounds_id[(size_t)(delim - user_id)] = '\0';
|
|
|
|
bounds = hashtab_search(users_tab, bounds_id);
|
|
if (!bounds) {
|
|
- yyerror2("user %s doesn't exist, is implicit bounds of %s", bounds_id, user_id);
|
|
+ yyerror2("user %s doesn't exist, is implicit bounds of %s",
|
|
+ bounds_id, user_id);
|
|
return -1;
|
|
}
|
|
|
|
@@ -381,7 +403,8 @@ static int user_implicit_bounds(hashtab_t users_tab, char *user_id, user_datum_t
|
|
user->bounds = bounds->s.value;
|
|
else if (user->bounds != bounds->s.value) {
|
|
yyerror2("user %s has inconsistent bounds %s/%s",
|
|
- user_id, bounds_id, policydbp->p_role_val_to_name[user->bounds - 1]);
|
|
+ user_id, bounds_id,
|
|
+ policydbp->p_role_val_to_name[user->bounds - 1]);
|
|
return -1;
|
|
}
|
|
free(bounds_id);
|
|
@@ -407,7 +430,9 @@ user_datum_t *declare_user(void)
|
|
}
|
|
user_datum_init(user);
|
|
|
|
- retval = declare_symbol(SYM_USERS, id, (hashtab_datum_t *) user, &value, &value);
|
|
+ retval =
|
|
+ declare_symbol(SYM_USERS, id, (hashtab_datum_t *) user, &value,
|
|
+ &value);
|
|
|
|
if (retval == 0) {
|
|
user->s.value = value;
|
|
@@ -433,7 +458,9 @@ user_datum_t *declare_user(void)
|
|
}
|
|
dest_user = (user_datum_t *) hashtab_search(users_tab, dest_id);
|
|
if (dest_user == NULL) {
|
|
- if ((dest_user = (user_datum_t *) malloc(sizeof(*dest_user))) == NULL) {
|
|
+ if ((dest_user =
|
|
+ (user_datum_t *) malloc(sizeof(*dest_user))) ==
|
|
+ NULL) {
|
|
yyerror("Out of memory!");
|
|
free(dest_id);
|
|
return NULL;
|
|
@@ -461,26 +488,26 @@ user_datum_t *declare_user(void)
|
|
}
|
|
switch (retval) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- return NULL;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ return NULL;
|
|
+ }
|
|
case -2:{
|
|
- yyerror("duplicate declaration of user");
|
|
- return NULL;
|
|
- }
|
|
+ yyerror("duplicate declaration of user");
|
|
+ return NULL;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not declare user here");
|
|
- return NULL;
|
|
- }
|
|
+ yyerror("could not declare user here");
|
|
+ return NULL;
|
|
+ }
|
|
case 0:{
|
|
- return dest_user;
|
|
- }
|
|
+ return dest_user;
|
|
+ }
|
|
case 1:{
|
|
- return dest_user; /* user already declared for this block */
|
|
- }
|
|
+ return dest_user; /* user already declared for this block */
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
}
|
|
|
|
@@ -530,6 +557,55 @@ type_datum_t *get_local_type(char *id, uint32_t value, unsigned char isattr)
|
|
return dest_typdatum;
|
|
}
|
|
|
|
+/* Return a role_datum_t for the local avrule_decl with the given ID.
|
|
+ * If it does not exist, create one with the same value as 'value'.
|
|
+ * This function assumes that the ID is within scope. c.f.,
|
|
+ * is_id_in_scope().
|
|
+ *
|
|
+ * NOTE: this function usurps ownership of id afterwards. The caller
|
|
+ * shall not reference it nor free() it afterwards.
|
|
+ */
|
|
+role_datum_t *get_local_role(char *id, uint32_t value, unsigned char isattr)
|
|
+{
|
|
+ role_datum_t *dest_roledatum;
|
|
+ hashtab_t roles_tab;
|
|
+
|
|
+ assert(stack_top->type == 1);
|
|
+
|
|
+ if (stack_top->parent == NULL) {
|
|
+ /* in global, so use global symbol table */
|
|
+ roles_tab = policydbp->p_roles.table;
|
|
+ } else {
|
|
+ roles_tab = stack_top->decl->p_roles.table;
|
|
+ }
|
|
+
|
|
+ dest_roledatum = hashtab_search(roles_tab, id);
|
|
+ if (!dest_roledatum) {
|
|
+ dest_roledatum = (role_datum_t *)malloc(sizeof(role_datum_t));
|
|
+ if (dest_roledatum == NULL) {
|
|
+ free(id);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ role_datum_init(dest_roledatum);
|
|
+ dest_roledatum->s.value = value;
|
|
+ dest_roledatum->flavor = isattr ? ROLE_ATTRIB : ROLE_ROLE;
|
|
+
|
|
+ if (hashtab_insert(roles_tab, id, dest_roledatum)) {
|
|
+ free(id);
|
|
+ role_datum_destroy(dest_roledatum);
|
|
+ free(dest_roledatum);
|
|
+ return NULL;
|
|
+ }
|
|
+ } else {
|
|
+ free(id);
|
|
+ if (dest_roledatum->flavor != isattr ? ROLE_ATTRIB : ROLE_ROLE)
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ return dest_roledatum;
|
|
+}
|
|
+
|
|
/* Given the current parse stack, returns 1 if a requirement would be
|
|
* allowed here or 0 if not. For example, the ELSE branch may never
|
|
* have its own requirements.
|
|
@@ -550,7 +626,9 @@ static int is_require_allowed(void)
|
|
* return -3.. Note that dest_value and datum_value might not be
|
|
* restricted pointers.
|
|
*/
|
|
-int require_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datum, uint32_t * dest_value, uint32_t * datum_value)
|
|
+int require_symbol(uint32_t symbol_type,
|
|
+ hashtab_key_t key, hashtab_datum_t datum,
|
|
+ uint32_t * dest_value, uint32_t * datum_value)
|
|
{
|
|
avrule_decl_t *decl = stack_top->decl;
|
|
int retval;
|
|
@@ -559,14 +637,17 @@ int require_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datu
|
|
if (!is_require_allowed()) {
|
|
return -1;
|
|
}
|
|
- retval = symtab_insert(policydbp, symbol_type, key, datum, SCOPE_REQ, decl->decl_id, dest_value);
|
|
+ retval = symtab_insert(policydbp, symbol_type, key, datum,
|
|
+ SCOPE_REQ, decl->decl_id, dest_value);
|
|
if (retval == 1) {
|
|
- symtab_datum_t *s = (symtab_datum_t *) hashtab_search(policydbp->symtab[symbol_type].table,
|
|
- key);
|
|
+ symtab_datum_t *s =
|
|
+ (symtab_datum_t *) hashtab_search(policydbp->
|
|
+ symtab[symbol_type].table,
|
|
+ key);
|
|
assert(s != NULL);
|
|
-
|
|
+
|
|
if (symbol_type == SYM_LEVELS) {
|
|
- *dest_value = ((level_datum_t *) s)->level->sens;
|
|
+ *dest_value = ((level_datum_t *)s)->level->sens;
|
|
} else {
|
|
*dest_value = s->value;
|
|
}
|
|
@@ -578,11 +659,17 @@ int require_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datu
|
|
if (symbol_type == SYM_TYPES) {
|
|
/* check that previous symbol has same
|
|
* type/attribute-ness */
|
|
- unsigned char new_isattr = ((type_datum_t *) datum)->flavor;
|
|
- type_datum_t *old_datum = (type_datum_t *) hashtab_search(policydbp->symtab[SYM_TYPES].table, key);
|
|
+ unsigned char new_isattr =
|
|
+ ((type_datum_t *) datum)->flavor;
|
|
+ type_datum_t *old_datum =
|
|
+ (type_datum_t *) hashtab_search(policydbp->
|
|
+ symtab
|
|
+ [SYM_TYPES].
|
|
+ table, key);
|
|
assert(old_datum != NULL);
|
|
unsigned char old_isattr = old_datum->flavor;
|
|
- prev_declaration_ok = (old_isattr == new_isattr ? 1 : 0);
|
|
+ prev_declaration_ok =
|
|
+ (old_isattr == new_isattr ? 1 : 0);
|
|
} else {
|
|
prev_declaration_ok = 1;
|
|
}
|
|
@@ -600,10 +687,11 @@ int require_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datu
|
|
}
|
|
} else if (retval < 0) {
|
|
return -3;
|
|
- } else { /* fall through possible if retval is 0 or 1 */
|
|
+ } else { /* fall through possible if retval is 0 or 1 */
|
|
}
|
|
if (datum_value != NULL) {
|
|
- if (ebitmap_set_bit(decl->required.scope + symbol_type, *datum_value - 1, 1)) {
|
|
+ if (ebitmap_set_bit(decl->required.scope + symbol_type,
|
|
+ *datum_value - 1, 1)) {
|
|
return -3;
|
|
}
|
|
}
|
|
@@ -632,13 +720,15 @@ int add_perm_to_class(uint32_t perm_value, uint32_t class_value)
|
|
}
|
|
scope->class_perms_len = class_value;
|
|
}
|
|
- if (ebitmap_set_bit(scope->class_perms_map + class_value - 1, perm_value - 1, 1)) {
|
|
+ if (ebitmap_set_bit(scope->class_perms_map + class_value - 1,
|
|
+ perm_value - 1, 1)) {
|
|
return -1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
-static int perm_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p __attribute__ ((unused)))
|
|
+static int perm_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p
|
|
+ __attribute__ ((unused)))
|
|
{
|
|
if (key)
|
|
free(key);
|
|
@@ -676,48 +766,53 @@ int require_class(int pass)
|
|
return -1;
|
|
}
|
|
|
|
- if ((datum = calloc(1, sizeof(*datum))) == NULL || symtab_init(&datum->permissions, PERM_SYMTAB_SIZE)) {
|
|
+ if ((datum = calloc(1, sizeof(*datum))) == NULL ||
|
|
+ symtab_init(&datum->permissions, PERM_SYMTAB_SIZE)) {
|
|
yyerror("Out of memory!");
|
|
goto cleanup;
|
|
}
|
|
- ret = require_symbol(SYM_CLASSES, class_id, datum, &datum->s.value, &datum->s.value);
|
|
+ ret =
|
|
+ require_symbol(SYM_CLASSES, class_id, datum, &datum->s.value,
|
|
+ &datum->s.value);
|
|
switch (ret) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- free(class_id);
|
|
- class_datum_destroy(datum);
|
|
- goto cleanup;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ free(class_id);
|
|
+ class_datum_destroy(datum);
|
|
+ goto cleanup;
|
|
+ }
|
|
case -2:{
|
|
- yyerror("duplicate declaration of class");
|
|
- free(class_id);
|
|
- class_datum_destroy(datum);
|
|
- goto cleanup;
|
|
- }
|
|
+ yyerror("duplicate declaration of class");
|
|
+ free(class_id);
|
|
+ class_datum_destroy(datum);
|
|
+ goto cleanup;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not require class here");
|
|
- free(class_id);
|
|
- class_datum_destroy(datum);
|
|
- goto cleanup;
|
|
- }
|
|
- case 0:{
|
|
- /* a new class was added; reindex everything */
|
|
- if (policydb_index_classes(policydbp)) {
|
|
- yyerror("Out of memory!");
|
|
+ yyerror("could not require class here");
|
|
+ free(class_id);
|
|
+ class_datum_destroy(datum);
|
|
goto cleanup;
|
|
}
|
|
- break;
|
|
- }
|
|
+ case 0:{
|
|
+ /* a new class was added; reindex everything */
|
|
+ if (policydb_index_classes(policydbp)) {
|
|
+ yyerror("Out of memory!");
|
|
+ goto cleanup;
|
|
+ }
|
|
+ break;
|
|
+ }
|
|
case 1:{
|
|
- class_datum_destroy(datum);
|
|
- datum = hashtab_search(policydbp->p_classes.table, class_id);
|
|
- assert(datum); /* the class datum should have existed */
|
|
- free(class_id);
|
|
- break;
|
|
- }
|
|
+ class_datum_destroy(datum);
|
|
+ datum =
|
|
+ hashtab_search(policydbp->p_classes.table,
|
|
+ class_id);
|
|
+ assert(datum); /* the class datum should have existed */
|
|
+ free(class_id);
|
|
+ break;
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
|
|
/* now add each of the permissions to this class's requirements */
|
|
@@ -727,14 +822,18 @@ int require_class(int pass)
|
|
/* Is the permission already in the table? */
|
|
perm = hashtab_search(datum->permissions.table, perm_id);
|
|
if (!perm && datum->comdatum)
|
|
- perm = hashtab_search(datum->comdatum->permissions.table, perm_id);
|
|
+ perm =
|
|
+ hashtab_search(datum->comdatum->permissions.table,
|
|
+ perm_id);
|
|
if (perm) {
|
|
/* Yes, drop the name. */
|
|
free(perm_id);
|
|
} else {
|
|
/* No - allocate and insert an entry for it. */
|
|
if (policydbp->policy_type == POLICY_BASE) {
|
|
- yyerror2("Base policy - require of permission %s without prior declaration.", perm_id);
|
|
+ yyerror2
|
|
+ ("Base policy - require of permission %s without prior declaration.",
|
|
+ perm_id);
|
|
free(perm_id);
|
|
goto cleanup;
|
|
}
|
|
@@ -745,7 +844,9 @@ int require_class(int pass)
|
|
goto cleanup;
|
|
}
|
|
memset(perm, 0, sizeof(*perm));
|
|
- ret = hashtab_insert(datum->permissions.table, perm_id, perm);
|
|
+ ret =
|
|
+ hashtab_insert(datum->permissions.table, perm_id,
|
|
+ perm);
|
|
if (ret) {
|
|
yyerror("Out of memory!");
|
|
free(perm_id);
|
|
@@ -769,7 +870,7 @@ int require_class(int pass)
|
|
return -1;
|
|
}
|
|
|
|
-int require_role(int pass)
|
|
+static int require_role_or_attribute(int pass, unsigned char isattr)
|
|
{
|
|
char *id = queue_remove(id_queue);
|
|
role_datum_t *role = NULL;
|
|
@@ -788,7 +889,10 @@ int require_role(int pass)
|
|
return -1;
|
|
}
|
|
role_datum_init(role);
|
|
- retval = require_symbol(SYM_ROLES, id, (hashtab_datum_t *) role, &role->s.value, &role->s.value);
|
|
+ role->flavor = isattr ? ROLE_ATTRIB : ROLE_ROLE;
|
|
+ retval =
|
|
+ require_symbol(SYM_ROLES, id, (hashtab_datum_t *) role,
|
|
+ &role->s.value, &role->s.value);
|
|
if (retval != 0) {
|
|
free(id);
|
|
role_datum_destroy(role);
|
|
@@ -796,34 +900,45 @@ int require_role(int pass)
|
|
}
|
|
switch (retval) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- return -1;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ return -1;
|
|
+ }
|
|
case -2:{
|
|
- yyerror("duplicate declaration of role");
|
|
- return -1;
|
|
- }
|
|
+ yyerror("duplicate declaration of role");
|
|
+ return -1;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not require role here");
|
|
- return -1;
|
|
- }
|
|
- case 0:{
|
|
- /* all roles dominate themselves */
|
|
- if (ebitmap_set_bit(&role->dominates, role->s.value - 1, 1)) {
|
|
- yyerror("Out of memory");
|
|
+ yyerror("could not require role here");
|
|
return -1;
|
|
}
|
|
- return 0;
|
|
- }
|
|
+ case 0:{
|
|
+ /* all roles dominate themselves */
|
|
+ if (ebitmap_set_bit
|
|
+ (&role->dominates, role->s.value - 1, 1)) {
|
|
+ yyerror("Out of memory");
|
|
+ return -1;
|
|
+ }
|
|
+ return 0;
|
|
+ }
|
|
case 1:{
|
|
- return 0; /* role already required */
|
|
- }
|
|
+ return 0; /* role already required */
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
}
|
|
|
|
+int require_role(int pass)
|
|
+{
|
|
+ return require_role_or_attribute(pass, 0);
|
|
+}
|
|
+
|
|
+int require_attribute_role(int pass)
|
|
+{
|
|
+ return require_role_or_attribute(pass, 1);
|
|
+}
|
|
+
|
|
static int require_type_or_attribute(int pass, unsigned char isattr)
|
|
{
|
|
char *id = queue_remove(id_queue);
|
|
@@ -845,33 +960,35 @@ static int require_type_or_attribute(int pass, unsigned char isattr)
|
|
type_datum_init(type);
|
|
type->primary = 1;
|
|
type->flavor = isattr ? TYPE_ATTRIB : TYPE_TYPE;
|
|
- retval = require_symbol(SYM_TYPES, id, (hashtab_datum_t *) type, &type->s.value, &type->s.value);
|
|
+ retval =
|
|
+ require_symbol(SYM_TYPES, id, (hashtab_datum_t *) type,
|
|
+ &type->s.value, &type->s.value);
|
|
if (retval != 0) {
|
|
free(id);
|
|
free(type);
|
|
}
|
|
switch (retval) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- return -1;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ return -1;
|
|
+ }
|
|
case -2:{
|
|
- yyerror("duplicate declaration of type/attribute");
|
|
- return -1;
|
|
- }
|
|
+ yyerror("duplicate declaration of type/attribute");
|
|
+ return -1;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not require type/attribute here");
|
|
- return -1;
|
|
- }
|
|
+ yyerror("could not require type/attribute here");
|
|
+ return -1;
|
|
+ }
|
|
case 0:{
|
|
- return 0;
|
|
- }
|
|
+ return 0;
|
|
+ }
|
|
case 1:{
|
|
- return 0; /* type already required */
|
|
- }
|
|
+ return 0; /* type already required */
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
}
|
|
|
|
@@ -904,37 +1021,39 @@ int require_user(int pass)
|
|
return -1;
|
|
}
|
|
user_datum_init(user);
|
|
- retval = require_symbol(SYM_USERS, id, (hashtab_datum_t *) user, &user->s.value, &user->s.value);
|
|
+ retval =
|
|
+ require_symbol(SYM_USERS, id, (hashtab_datum_t *) user,
|
|
+ &user->s.value, &user->s.value);
|
|
if (retval != 0) {
|
|
free(id);
|
|
user_datum_destroy(user);
|
|
}
|
|
switch (retval) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- return -1;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ return -1;
|
|
+ }
|
|
case -2:{
|
|
- yyerror("duplicate declaration of user");
|
|
- return -1;
|
|
- }
|
|
+ yyerror("duplicate declaration of user");
|
|
+ return -1;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not require user here");
|
|
- return -1;
|
|
- }
|
|
+ yyerror("could not require user here");
|
|
+ return -1;
|
|
+ }
|
|
case 0:{
|
|
- return 0;
|
|
- }
|
|
+ return 0;
|
|
+ }
|
|
case 1:{
|
|
- return 0; /* user already required */
|
|
- }
|
|
+ return 0; /* user already required */
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
}
|
|
|
|
-int require_bool(int pass)
|
|
+static int require_bool_tunable(int pass, int is_tunable)
|
|
{
|
|
char *id = queue_remove(id_queue);
|
|
cond_bool_datum_t *booldatum = NULL;
|
|
@@ -952,35 +1071,49 @@ int require_bool(int pass)
|
|
yyerror("Out of memory!");
|
|
return -1;
|
|
}
|
|
- retval = require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum, &booldatum->s.value, &booldatum->s.value);
|
|
+ if (is_tunable)
|
|
+ booldatum->flags |= COND_BOOL_FLAGS_TUNABLE;
|
|
+ retval =
|
|
+ require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum,
|
|
+ &booldatum->s.value, &booldatum->s.value);
|
|
if (retval != 0) {
|
|
cond_destroy_bool(id, booldatum, NULL);
|
|
}
|
|
switch (retval) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- return -1;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ return -1;
|
|
+ }
|
|
case -2:{
|
|
- yyerror("duplicate declaration of boolean");
|
|
- return -1;
|
|
- }
|
|
+ yyerror("duplicate declaration of boolean");
|
|
+ return -1;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not require boolean here");
|
|
- return -1;
|
|
- }
|
|
+ yyerror("could not require boolean here");
|
|
+ return -1;
|
|
+ }
|
|
case 0:{
|
|
- return 0;
|
|
- }
|
|
+ return 0;
|
|
+ }
|
|
case 1:{
|
|
- return 0; /* boolean already required */
|
|
- }
|
|
+ return 0; /* boolean already required */
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
}
|
|
|
|
+int require_bool(int pass)
|
|
+{
|
|
+ return require_bool_tunable(pass, 0);
|
|
+}
|
|
+
|
|
+int require_tunable(int pass)
|
|
+{
|
|
+ return require_bool_tunable(pass, 1);
|
|
+}
|
|
+
|
|
int require_sens(int pass)
|
|
{
|
|
char *id = queue_remove(id_queue);
|
|
@@ -1010,7 +1143,8 @@ int require_sens(int pass)
|
|
return -1;
|
|
}
|
|
mls_level_init(level->level);
|
|
- retval = require_symbol(SYM_LEVELS, id, (hashtab_datum_t *) level, &level->level->sens, &level->level->sens);
|
|
+ retval = require_symbol(SYM_LEVELS, id, (hashtab_datum_t *) level,
|
|
+ &level->level->sens, &level->level->sens);
|
|
if (retval != 0) {
|
|
free(id);
|
|
mls_level_destroy(level->level);
|
|
@@ -1020,26 +1154,26 @@ int require_sens(int pass)
|
|
}
|
|
switch (retval) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- return -1;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ return -1;
|
|
+ }
|
|
case -2:{
|
|
- yyerror("duplicate declaration of sensitivity");
|
|
- return -1;
|
|
- }
|
|
+ yyerror("duplicate declaration of sensitivity");
|
|
+ return -1;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not require sensitivity here");
|
|
- return -1;
|
|
- }
|
|
+ yyerror("could not require sensitivity here");
|
|
+ return -1;
|
|
+ }
|
|
case 0:{
|
|
- return 0;
|
|
- }
|
|
+ return 0;
|
|
+ }
|
|
case 1:{
|
|
- return 0; /* sensitivity already required */
|
|
- }
|
|
+ return 0; /* sensitivity already required */
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
}
|
|
|
|
@@ -1064,7 +1198,8 @@ int require_cat(int pass)
|
|
}
|
|
cat_datum_init(cat);
|
|
|
|
- retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat, &cat->s.value, &cat->s.value);
|
|
+ retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat,
|
|
+ &cat->s.value, &cat->s.value);
|
|
if (retval != 0) {
|
|
free(id);
|
|
cat_datum_destroy(cat);
|
|
@@ -1072,26 +1207,26 @@ int require_cat(int pass)
|
|
}
|
|
switch (retval) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- return -1;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ return -1;
|
|
+ }
|
|
case -2:{
|
|
- yyerror("duplicate declaration of category");
|
|
- return -1;
|
|
- }
|
|
+ yyerror("duplicate declaration of category");
|
|
+ return -1;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not require category here");
|
|
- return -1;
|
|
- }
|
|
+ yyerror("could not require category here");
|
|
+ return -1;
|
|
+ }
|
|
case 0:{
|
|
- return 0;
|
|
- }
|
|
+ return 0;
|
|
+ }
|
|
case 1:{
|
|
- return 0; /* category already required */
|
|
- }
|
|
+ return 0; /* category already required */
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
}
|
|
|
|
@@ -1099,7 +1234,7 @@ static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack)
|
|
{
|
|
int i;
|
|
if (stack == NULL) {
|
|
- return 0; /* no matching scope found */
|
|
+ return 0; /* no matching scope found */
|
|
}
|
|
if (stack->type == 1) {
|
|
avrule_decl_t *decl = stack->decl;
|
|
@@ -1119,33 +1254,40 @@ static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack)
|
|
|
|
int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id)
|
|
{
|
|
- scope_datum_t *scope = (scope_datum_t *) hashtab_search(policydbp->scope[symbol_type].table, id);
|
|
+ scope_datum_t *scope =
|
|
+ (scope_datum_t *) hashtab_search(policydbp->scope[symbol_type].
|
|
+ table, id);
|
|
if (scope == NULL) {
|
|
- return 1; /* id is not known, so return success */
|
|
+ return 1; /* id is not known, so return success */
|
|
}
|
|
return is_scope_in_stack(scope, stack_top);
|
|
}
|
|
|
|
-static int is_perm_in_scope_index(uint32_t perm_value, uint32_t class_value, scope_index_t * scope)
|
|
+static int is_perm_in_scope_index(uint32_t perm_value, uint32_t class_value,
|
|
+ scope_index_t * scope)
|
|
{
|
|
if (class_value > scope->class_perms_len) {
|
|
return 1;
|
|
}
|
|
- if (ebitmap_get_bit(scope->class_perms_map + class_value - 1, perm_value - 1)) {
|
|
+ if (ebitmap_get_bit(scope->class_perms_map + class_value - 1,
|
|
+ perm_value - 1)) {
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
-static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value, scope_stack_t * stack)
|
|
+static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value,
|
|
+ scope_stack_t * stack)
|
|
{
|
|
if (stack == NULL) {
|
|
- return 0; /* no matching scope found */
|
|
+ return 0; /* no matching scope found */
|
|
}
|
|
if (stack->type == 1) {
|
|
avrule_decl_t *decl = stack->decl;
|
|
- if (is_perm_in_scope_index(perm_value, class_value, &decl->required)
|
|
- || is_perm_in_scope_index(perm_value, class_value, &decl->declared)) {
|
|
+ if (is_perm_in_scope_index
|
|
+ (perm_value, class_value, &decl->required)
|
|
+ || is_perm_in_scope_index(perm_value, class_value,
|
|
+ &decl->declared)) {
|
|
return 1;
|
|
}
|
|
} else {
|
|
@@ -1159,17 +1301,20 @@ static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value, scope_sta
|
|
|
|
int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id)
|
|
{
|
|
- class_datum_t *cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table,
|
|
- class_id);
|
|
+ class_datum_t *cladatum =
|
|
+ (class_datum_t *) hashtab_search(policydbp->p_classes.table,
|
|
+ class_id);
|
|
perm_datum_t *perdatum;
|
|
if (cladatum == NULL) {
|
|
return 1;
|
|
}
|
|
- perdatum = (perm_datum_t *) hashtab_search(cladatum->permissions.table, perm_id);
|
|
+ perdatum = (perm_datum_t *) hashtab_search(cladatum->permissions.table,
|
|
+ perm_id);
|
|
if (perdatum == NULL) {
|
|
return 1;
|
|
}
|
|
- return is_perm_in_stack(perdatum->s.value, cladatum->s.value, stack_top);
|
|
+ return is_perm_in_stack(perdatum->s.value, cladatum->s.value,
|
|
+ stack_top);
|
|
}
|
|
|
|
cond_list_t *get_current_cond_list(cond_list_t * cond)
|
|
@@ -1188,19 +1333,23 @@ void append_cond_list(cond_list_t * cond)
|
|
{
|
|
cond_list_t *old_cond = get_current_cond_list(cond);
|
|
avrule_t *tmp;
|
|
- assert(old_cond != NULL); /* probably out of memory */
|
|
+ assert(old_cond != NULL); /* probably out of memory */
|
|
if (old_cond->avtrue_list == NULL) {
|
|
old_cond->avtrue_list = cond->avtrue_list;
|
|
} else {
|
|
- for (tmp = old_cond->avtrue_list; tmp->next != NULL; tmp = tmp->next) ;
|
|
+ for (tmp = old_cond->avtrue_list; tmp->next != NULL;
|
|
+ tmp = tmp->next) ;
|
|
tmp->next = cond->avtrue_list;
|
|
}
|
|
if (old_cond->avfalse_list == NULL) {
|
|
old_cond->avfalse_list = cond->avfalse_list;
|
|
} else {
|
|
- for (tmp = old_cond->avfalse_list; tmp->next != NULL; tmp = tmp->next) ;
|
|
+ for (tmp = old_cond->avfalse_list; tmp->next != NULL;
|
|
+ tmp = tmp->next) ;
|
|
tmp->next = cond->avfalse_list;
|
|
}
|
|
+
|
|
+ old_cond->flags |= cond->flags;
|
|
}
|
|
|
|
void append_avrule(avrule_t * avrule)
|
|
@@ -1276,7 +1425,8 @@ int begin_optional(int pass)
|
|
avrule_decl_t *decl;
|
|
if (pass == 1) {
|
|
/* allocate a new avrule block for this optional block */
|
|
- if ((block = avrule_block_create()) == NULL || (decl = avrule_decl_create(next_decl_id)) == NULL) {
|
|
+ if ((block = avrule_block_create()) == NULL ||
|
|
+ (decl = avrule_decl_create(next_decl_id)) == NULL) {
|
|
goto cleanup;
|
|
}
|
|
block->flags |= AVRULE_OPTIONAL;
|
|
@@ -1285,7 +1435,9 @@ int begin_optional(int pass)
|
|
} else {
|
|
/* select the next block from the chain built during pass 1 */
|
|
block = last_block->next;
|
|
- assert(block != NULL && block->branch_list != NULL && block->branch_list->decl_id == next_decl_id);
|
|
+ assert(block != NULL &&
|
|
+ block->branch_list != NULL &&
|
|
+ block->branch_list->decl_id == next_decl_id);
|
|
decl = block->branch_list;
|
|
}
|
|
if (push_stack(1, block, decl) == -1) {
|
|
@@ -1324,7 +1476,8 @@ int begin_optional_else(int pass)
|
|
/* pick the (hopefully last) declaration of this
|
|
avrule block, built from pass 1 */
|
|
decl = stack_top->decl->next;
|
|
- assert(decl != NULL && decl->next == NULL && decl->decl_id == next_decl_id);
|
|
+ assert(decl != NULL &&
|
|
+ decl->next == NULL && decl->decl_id == next_decl_id);
|
|
}
|
|
stack_top->in_else = 1;
|
|
stack_top->decl = decl;
|
|
@@ -1353,21 +1506,26 @@ static int copy_requirements(avrule_decl_t * dest, scope_stack_t * stack)
|
|
}
|
|
/* now copy class permissions */
|
|
if (src_scope->class_perms_len > dest_scope->class_perms_len) {
|
|
- ebitmap_t *new_map = realloc(dest_scope->class_perms_map,
|
|
- src_scope->class_perms_len * sizeof(*new_map));
|
|
+ ebitmap_t *new_map =
|
|
+ realloc(dest_scope->class_perms_map,
|
|
+ src_scope->class_perms_len *
|
|
+ sizeof(*new_map));
|
|
if (new_map == NULL) {
|
|
yyerror("Out of memory!");
|
|
return -1;
|
|
}
|
|
dest_scope->class_perms_map = new_map;
|
|
- for (i = dest_scope->class_perms_len; i < src_scope->class_perms_len; i++) {
|
|
+ for (i = dest_scope->class_perms_len;
|
|
+ i < src_scope->class_perms_len; i++) {
|
|
ebitmap_init(dest_scope->class_perms_map + i);
|
|
}
|
|
- dest_scope->class_perms_len = src_scope->class_perms_len;
|
|
+ dest_scope->class_perms_len =
|
|
+ src_scope->class_perms_len;
|
|
}
|
|
for (i = 0; i < src_scope->class_perms_len; i++) {
|
|
ebitmap_t *src_bitmap = &src_scope->class_perms_map[i];
|
|
- ebitmap_t *dest_bitmap = &dest_scope->class_perms_map[i];
|
|
+ ebitmap_t *dest_bitmap =
|
|
+ &dest_scope->class_perms_map[i];
|
|
if (ebitmap_union(dest_bitmap, src_bitmap)) {
|
|
yyerror("Out of memory!");
|
|
return -1;
|
|
@@ -1394,7 +1552,8 @@ int end_avrule_block(int pass)
|
|
return 0;
|
|
}
|
|
if (!stack_top->in_else && !stack_top->require_given) {
|
|
- if (policydbp->policy_type == POLICY_BASE && stack_top->parent != NULL) {
|
|
+ if (policydbp->policy_type == POLICY_BASE
|
|
+ && stack_top->parent != NULL) {
|
|
/* if this is base no require should be in the global block */
|
|
return 0;
|
|
} else {
|
|
@@ -1418,14 +1577,14 @@ static int push_stack(int stack_type, ...)
|
|
va_start(ap, stack_type);
|
|
switch (s->type = stack_type) {
|
|
case 1:{
|
|
- s->u.avrule = va_arg(ap, avrule_block_t *);
|
|
- s->decl = va_arg(ap, avrule_decl_t *);
|
|
- break;
|
|
- }
|
|
+ s->u.avrule = va_arg(ap, avrule_block_t *);
|
|
+ s->decl = va_arg(ap, avrule_decl_t *);
|
|
+ break;
|
|
+ }
|
|
case 2:{
|
|
- s->u.cond_list = va_arg(ap, cond_list_t *);
|
|
- break;
|
|
- }
|
|
+ s->u.cond_list = va_arg(ap, cond_list_t *);
|
|
+ break;
|
|
+ }
|
|
default:
|
|
/* invalid stack type given */
|
|
assert(0);
|
|
diff --git a/libqpol/src/module_compiler.h b/libqpol/src/module_compiler.h
|
|
index d46dca6..b9c0526 100644
|
|
--- a/libqpol/src/module_compiler.h
|
|
+++ b/libqpol/src/module_compiler.h
|
|
@@ -17,6 +17,7 @@
|
|
#ifndef MODULE_COMPILER_H
|
|
#define MODULE_COMPILER_H
|
|
|
|
+/* Required for SETools libqpol services */
|
|
#ifdef __cplusplus
|
|
extern "C"
|
|
{
|
|
@@ -36,18 +37,23 @@ int define_policy(int pass, int module_header_given);
|
|
* needs to free() the datum), -1 if declarations not allowed, -2 for
|
|
* duplicate declarations, -3 for all else.
|
|
*/
|
|
-int declare_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datum, uint32_t * dest_value, uint32_t * datum_value);
|
|
+int declare_symbol(uint32_t symbol_type,
|
|
+ hashtab_key_t key, hashtab_datum_t datum,
|
|
+ uint32_t * dest_value, uint32_t * datum_value);
|
|
|
|
-role_datum_t *declare_role(void);
|
|
+role_datum_t *declare_role(unsigned char isattr);
|
|
type_datum_t *declare_type(unsigned char primary, unsigned char isattr);
|
|
user_datum_t *declare_user(void);
|
|
|
|
type_datum_t *get_local_type(char *id, uint32_t value, unsigned char isattr);
|
|
+role_datum_t *get_local_role(char *id, uint32_t value, unsigned char isattr);
|
|
|
|
/* Add a symbol to the current avrule_block's require section. Note
|
|
* that a module may not both declare and require the same symbol.
|
|
* Returns 0 on success, -1 on error. */
|
|
-int require_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datum, uint32_t * dest_value, uint32_t * datum_value);
|
|
+int require_symbol(uint32_t symbol_type,
|
|
+ hashtab_key_t key, hashtab_datum_t datum,
|
|
+ uint32_t * dest_value, uint32_t * datum_value);
|
|
|
|
/* Enable a permission for a class within the current avrule_decl.
|
|
* Return 0 on success, -1 if out of memory. */
|
|
@@ -60,8 +66,10 @@ int require_class(int pass);
|
|
int require_role(int pass);
|
|
int require_type(int pass);
|
|
int require_attribute(int pass);
|
|
+int require_attribute_role(int pass);
|
|
int require_user(int pass);
|
|
int require_bool(int pass);
|
|
+int require_tunable(int pass);
|
|
int require_sens(int pass);
|
|
int require_cat(int pass);
|
|
|
|
diff --git a/libqpol/src/policy.c b/libqpol/src/policy.c
|
|
index 7180556..717c079 100644
|
|
--- a/libqpol/src/policy.c
|
|
+++ b/libqpol/src/policy.c
|
|
@@ -412,6 +412,45 @@ static int infer_policy_version(qpol_policy_t * policy)
|
|
}
|
|
qpol_iterator_destroy(&iter);
|
|
|
|
+/* Check each version change from 29 to 24 */
|
|
+/* If this is available then just set version 29 */
|
|
+#ifdef HAVE_SEPOL_CONSTRAINT_NAMES
|
|
+ db->policyvers = 29;
|
|
+ return STATUS_SUCCESS;
|
|
+#endif
|
|
+
|
|
+/*
|
|
+ * These will remove the rules from policy_define.c if libsepol
|
|
+ * does not have the support listed in policydb.h. The earlier code
|
|
+ * checked for at least one rule before enabling - this patch does not
|
|
+ * as if in policydb.h then must be capable of being built.
|
|
+ */
|
|
+#ifdef HAVE_SEPOL_DEFAULT_TYPE
|
|
+ db->policyvers = 28;
|
|
+ return STATUS_SUCCESS;
|
|
+#endif
|
|
+
|
|
+#ifdef HAVE_SEPOL_NEW_OBJECT_DEFAULTS
|
|
+ db->policyvers = 27;
|
|
+ return STATUS_SUCCESS;
|
|
+#endif
|
|
+
|
|
+/* This seems to be in place already ??
|
|
+#ifdef HAVE_SEPOL_ROLETRANS
|
|
+ db->policyvers = 26;
|
|
+ return STATUS_SUCCESS;
|
|
+#endif */
|
|
+
|
|
+#ifdef HAVE_SEPOL_FILENAME_TRANS
|
|
+ db->policyvers = 25;
|
|
+ return STATUS_SUCCESS;
|
|
+#endif
|
|
+
|
|
+#ifdef HAVE_SEPOL_BOUNDARY
|
|
+ db->policyvers = 24;
|
|
+ return STATUS_SUCCESS;
|
|
+#endif
|
|
+
|
|
#if defined(HAVE_SEPOL_PERMISSIVE_TYPES) || defined(HAVE_SEPOL_POLICYCAPS)
|
|
ebitmap_node_t *node = NULL;
|
|
unsigned int i = 0;
|
|
@@ -1466,6 +1505,25 @@ int qpol_policy_get_policy_version(const qpol_policy_t * policy, unsigned int *v
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
+int qpol_policy_get_policy_handle_unknown(const qpol_policy_t * policy, unsigned int *handle_unknown)
|
|
+{
|
|
+ policydb_t *db;
|
|
+
|
|
+ if (handle_unknown != NULL)
|
|
+ *handle_unknown = 0;
|
|
+
|
|
+ if (policy == NULL || handle_unknown == NULL) {
|
|
+ ERR(policy, "%s", strerror(EINVAL));
|
|
+ errno = EINVAL;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+
|
|
+ db = &policy->p->p;
|
|
+ *handle_unknown = db->handle_unknown;
|
|
+
|
|
+ return STATUS_SUCCESS;
|
|
+}
|
|
+
|
|
int qpol_policy_get_type(const qpol_policy_t * policy, int *type)
|
|
{
|
|
if (!policy || !type) {
|
|
@@ -1534,6 +1592,55 @@ int qpol_policy_has_capability(const qpol_policy_t * policy, qpol_capability_e c
|
|
return 1;
|
|
break;
|
|
}
|
|
+ case QPOL_CAP_BOUNDS:
|
|
+ {
|
|
+ if (version >= 24 && policy->type != QPOL_POLICY_MODULE_BINARY)
|
|
+ return 1;
|
|
+ if (version >= 9 && policy->type == QPOL_POLICY_MODULE_BINARY)
|
|
+ return 1;
|
|
+ break;
|
|
+ }
|
|
+ case QPOL_CAP_PERMISSIVE:
|
|
+ {
|
|
+ if (version >= 23 && policy->type != QPOL_POLICY_MODULE_BINARY)
|
|
+ return 1;
|
|
+ if (version >= 8 && policy->type == QPOL_POLICY_MODULE_BINARY)
|
|
+ return 1;
|
|
+ break;
|
|
+ }
|
|
+ case QPOL_CAP_FILENAME_TRANS:
|
|
+ {
|
|
+ if (version >= 25 && policy->type != QPOL_POLICY_MODULE_BINARY)
|
|
+ return 1;
|
|
+ if (version >= 11 && policy->type == QPOL_POLICY_MODULE_BINARY)
|
|
+ return 1;
|
|
+ break;
|
|
+ }
|
|
+ case QPOL_CAP_ROLETRANS:
|
|
+ {
|
|
+ if (version >= 26 && policy->type != QPOL_POLICY_MODULE_BINARY)
|
|
+ return 1;
|
|
+ if (version >= 12 && policy->type == QPOL_POLICY_MODULE_BINARY)
|
|
+ return 1;
|
|
+ break;
|
|
+ }
|
|
+ /* This indicates the user, role and range - types were ate 28/16 */
|
|
+ case QPOL_CAP_DEFAULT_OBJECTS:
|
|
+ {
|
|
+ if (version >= 27 && policy->type != QPOL_POLICY_MODULE_BINARY)
|
|
+ return 1;
|
|
+ if (version >= 15 && policy->type == QPOL_POLICY_MODULE_BINARY)
|
|
+ return 1;
|
|
+ break;
|
|
+ }
|
|
+ case QPOL_CAP_DEFAULT_TYPE:
|
|
+ {
|
|
+ if (version >= 28 && policy->type != QPOL_POLICY_MODULE_BINARY)
|
|
+ return 1;
|
|
+ if (version >= 16 && policy->type == QPOL_POLICY_MODULE_BINARY)
|
|
+ return 1;
|
|
+ break;
|
|
+ }
|
|
case QPOL_CAP_RULES_LOADED:
|
|
{
|
|
if (!(policy->options & QPOL_POLICY_OPTION_NO_RULES))
|
|
diff --git a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c
|
|
index fad6b60..15f70ba 100644
|
|
--- a/libqpol/src/policy_define.c
|
|
+++ b/libqpol/src/policy_define.c
|
|
@@ -3,6 +3,8 @@
|
|
*
|
|
* This file is based upon checkpolicy/policy_define.c from NSA's SVN
|
|
* repository. It has been modified to support older policy formats.
|
|
+ * The older format just seems to be PSID support (see
|
|
+ * int define_fs_use(int behavior).
|
|
*/
|
|
|
|
/*
|
|
@@ -33,7 +35,7 @@
|
|
*/
|
|
|
|
/* FLASK */
|
|
-
|
|
+/* Required for SETools libqpol */
|
|
#include <config.h>
|
|
|
|
#include <sys/types.h>
|
|
@@ -54,6 +56,7 @@
|
|
#include <sepol/policydb/conditional.h>
|
|
#include <sepol/policydb/flask.h>
|
|
#include <sepol/policydb/hierarchy.h>
|
|
+/* Required for SETools libqpol */
|
|
#ifdef HAVE_SEPOL_POLICYCAPS
|
|
#include <sepol/policydb/polcaps.h>
|
|
#endif
|
|
@@ -62,15 +65,15 @@
|
|
#endif
|
|
|
|
#include "queue.h"
|
|
+/* Required for SETools libqpol - Removed #include "checkpolicy.h"*/
|
|
#include <qpol/policy.h>
|
|
+
|
|
#include "module_compiler.h"
|
|
#include "policy_define.h"
|
|
|
|
policydb_t *policydbp;
|
|
queue_t id_queue = 0;
|
|
unsigned int pass;
|
|
-static int load_rules;
|
|
-static unsigned int num_rules = 0;
|
|
char *curfile = 0;
|
|
int mlspol = 0;
|
|
|
|
@@ -82,12 +85,15 @@ extern int yywarn(char *msg);
|
|
extern int yyerror(char *msg);
|
|
|
|
#define ERRORMSG_LEN 255
|
|
-static char errormsg[ERRORMSG_LEN + 1] = { 0 };
|
|
+static char errormsg[ERRORMSG_LEN + 1] = {0};
|
|
|
|
static int id_has_dot(char *id);
|
|
-static int parse_security_context(context_struct_t * c);
|
|
+static int parse_security_context(context_struct_t *c);
|
|
|
|
/* initialize all of the state variables for the scanner/parser */
|
|
+/* Modified for SETools libqpol */
|
|
+static int load_rules;
|
|
+static unsigned int num_rules = 0;
|
|
void init_parser(int pass_number, int do_rules)
|
|
{
|
|
policydb_lineno = 1;
|
|
@@ -107,6 +113,7 @@ void yyerror2(char *fmt, ...)
|
|
va_end(ap);
|
|
}
|
|
|
|
+/* Required for SETools libqpol */
|
|
int define_mls(void)
|
|
{
|
|
mlspol = 1;
|
|
@@ -115,6 +122,7 @@ int define_mls(void)
|
|
return 0;
|
|
}
|
|
|
|
+/* Required for SETools libqpol */
|
|
/* Add a rule onto an avtab hash table only if it does not already
|
|
* exist. (Note that the avtab is discarded afterwards; it will be
|
|
* regenerated during expansion.) Return 1 if rule was added (or
|
|
@@ -135,11 +143,13 @@ static int insert_check_type_rule(avrule_t * rule, avtab_t * avtab, cond_av_list
|
|
#endif
|
|
|
|
ret = expand_rule(NULL, policydbp, rule, avtab, list, other, 0);
|
|
+
|
|
if (ret < 0) {
|
|
yyerror("Failed on expanding rule");
|
|
}
|
|
return ret;
|
|
}
|
|
+
|
|
int insert_separator(int push)
|
|
{
|
|
int error;
|
|
@@ -217,24 +227,24 @@ int define_class(void)
|
|
ret = declare_symbol(SYM_CLASSES, id, datum, &value, &value);
|
|
switch (ret) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- goto bad;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ goto bad;
|
|
+ }
|
|
case -2:{
|
|
- yyerror2("duplicate declaration of class %s", id);
|
|
- goto bad;
|
|
- }
|
|
+ yyerror2("duplicate declaration of class %s", id);
|
|
+ goto bad;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not declare class here");
|
|
- goto bad;
|
|
- }
|
|
+ yyerror("could not declare class here");
|
|
+ goto bad;
|
|
+ }
|
|
case 0:
|
|
case 1:{
|
|
- break;
|
|
- }
|
|
+ break;
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
datum->s.value = value;
|
|
return 0;
|
|
@@ -282,12 +292,13 @@ int define_permissive(void)
|
|
rc = -1;
|
|
goto out;
|
|
}
|
|
+/* Required for SETools libqpol */
|
|
#ifdef HAVE_SEPOL_PERMISSIVE_TYPES
|
|
t->flags |= TYPE_FLAGS_PERMISSIVE;
|
|
#else
|
|
yyerror("This version of SETools does not have permissive types enabled.");
|
|
#endif
|
|
- out:
|
|
+out:
|
|
free(type);
|
|
return rc;
|
|
}
|
|
@@ -308,6 +319,7 @@ int define_polcap(void)
|
|
yyerror("no capability name for policycap definition?");
|
|
goto bad;
|
|
}
|
|
+/* Required for SETools libqpol */
|
|
#ifdef HAVE_SEPOL_POLICYCAPS
|
|
/* Check for valid cap name -> number mapping */
|
|
capnum = sepol_polcap_getnum(id);
|
|
@@ -384,6 +396,178 @@ int define_initial_sid(void)
|
|
return -1;
|
|
}
|
|
|
|
+static int read_classes(ebitmap_t *e_classes)
|
|
+{
|
|
+ char *id;
|
|
+ class_datum_t *cladatum;
|
|
+
|
|
+ while ((id = queue_remove(id_queue))) {
|
|
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
|
|
+ yyerror2("class %s is not within scope", id);
|
|
+ return -1;
|
|
+ }
|
|
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
|
|
+ if (!cladatum) {
|
|
+ yyerror2("unknown class %s", id);
|
|
+ return -1;
|
|
+ }
|
|
+ if (ebitmap_set_bit(e_classes, cladatum->s.value - 1, TRUE)) {
|
|
+ yyerror("Out of memory");
|
|
+ return -1;
|
|
+ }
|
|
+ free(id);
|
|
+ }
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+int define_default_user(int which)
|
|
+{
|
|
+ char *id;
|
|
+
|
|
+ if (pass == 1) {
|
|
+ while ((id = queue_remove(id_queue)))
|
|
+ free(id);
|
|
+ return 0;
|
|
+ }
|
|
+/* Required for SETools libqpol */
|
|
+#ifdef HAVE_SEPOL_NEW_OBJECT_DEFAULTS
|
|
+ class_datum_t *cladatum;
|
|
+
|
|
+ while ((id = queue_remove(id_queue))) {
|
|
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
|
|
+ yyerror2("class %s is not within scope", id);
|
|
+ return -1;
|
|
+ }
|
|
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
|
|
+ if (!cladatum) {
|
|
+ yyerror2("unknown class %s", id);
|
|
+ return -1;
|
|
+ }
|
|
+ if (cladatum->default_user && cladatum->default_user != which) {
|
|
+ yyerror2("conflicting default user information for class %s", id);
|
|
+ return -1;
|
|
+ }
|
|
+ cladatum->default_user = which;
|
|
+ free(id);
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
+#else
|
|
+ yyerror("This version of SETools does not have default_user enabled.");
|
|
+#endif
|
|
+}
|
|
+
|
|
+int define_default_role(int which)
|
|
+{
|
|
+ char *id;
|
|
+
|
|
+ if (pass == 1) {
|
|
+ while ((id = queue_remove(id_queue)))
|
|
+ free(id);
|
|
+ return 0;
|
|
+ }
|
|
+/* Required for SETools libqpol */
|
|
+#ifdef HAVE_SEPOL_NEW_OBJECT_DEFAULTS
|
|
+ class_datum_t *cladatum;
|
|
+
|
|
+ while ((id = queue_remove(id_queue))) {
|
|
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
|
|
+ yyerror2("class %s is not within scope", id);
|
|
+ return -1;
|
|
+ }
|
|
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
|
|
+ if (!cladatum) {
|
|
+ yyerror2("unknown class %s", id);
|
|
+ return -1;
|
|
+ }
|
|
+ if (cladatum->default_role && cladatum->default_role != which) {
|
|
+ yyerror2("conflicting default role information for class %s", id);
|
|
+ return -1;
|
|
+ }
|
|
+ cladatum->default_role = which;
|
|
+ free(id);
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
+#else
|
|
+ yyerror("This version of SETools does not have default_role enabled.");
|
|
+#endif
|
|
+}
|
|
+
|
|
+int define_default_type(int which)
|
|
+{
|
|
+ char *id;
|
|
+
|
|
+ if (pass == 1) {
|
|
+ while ((id = queue_remove(id_queue)))
|
|
+ free(id);
|
|
+ return 0;
|
|
+ }
|
|
+/* Required for SETools libqpol */
|
|
+#ifdef HAVE_SEPOL_DEFAULT_TYPE
|
|
+ class_datum_t *cladatum;
|
|
+
|
|
+ while ((id = queue_remove(id_queue))) {
|
|
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
|
|
+ yyerror2("class %s is not within scope", id);
|
|
+ return -1;
|
|
+ }
|
|
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
|
|
+ if (!cladatum) {
|
|
+ yyerror2("unknown class %s", id);
|
|
+ return -1;
|
|
+ }
|
|
+ if (cladatum->default_type && cladatum->default_type != which) {
|
|
+ yyerror2("conflicting default type information for class %s", id);
|
|
+ return -1;
|
|
+ }
|
|
+ cladatum->default_type = which;
|
|
+ free(id);
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
+#else
|
|
+ yyerror("This version of SETools does not have default_type enabled.");
|
|
+#endif
|
|
+}
|
|
+
|
|
+int define_default_range(int which)
|
|
+{
|
|
+ char *id;
|
|
+
|
|
+ if (pass == 1) {
|
|
+ while ((id = queue_remove(id_queue)))
|
|
+ free(id);
|
|
+ return 0;
|
|
+ }
|
|
+/* Required for SETools libqpol */
|
|
+#ifdef HAVE_SEPOL_NEW_OBJECT_DEFAULTS
|
|
+ class_datum_t *cladatum;
|
|
+
|
|
+ while ((id = queue_remove(id_queue))) {
|
|
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
|
|
+ yyerror2("class %s is not within scope", id);
|
|
+ return -1;
|
|
+ }
|
|
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
|
|
+ if (!cladatum) {
|
|
+ yyerror2("unknown class %s", id);
|
|
+ return -1;
|
|
+ }
|
|
+ if (cladatum->default_range && cladatum->default_range != which) {
|
|
+ yyerror2("conflicting default range information for class %s", id);
|
|
+ return -1;
|
|
+ }
|
|
+ cladatum->default_range = which;
|
|
+ free(id);
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
+#else
|
|
+ yyerror("This version of SETools does not have default_range enabled.");
|
|
+#endif
|
|
+}
|
|
+
|
|
int define_common_perms(void)
|
|
{
|
|
char *id = 0, *perm = 0;
|
|
@@ -413,7 +597,8 @@ int define_common_perms(void)
|
|
goto bad;
|
|
}
|
|
memset(comdatum, 0, sizeof(common_datum_t));
|
|
- ret = hashtab_insert(policydbp->p_commons.table, (hashtab_key_t) id, (hashtab_datum_t) comdatum);
|
|
+ ret = hashtab_insert(policydbp->p_commons.table,
|
|
+ (hashtab_key_t) id, (hashtab_datum_t) comdatum);
|
|
|
|
if (ret == SEPOL_EEXIST) {
|
|
yyerror("duplicate common definition");
|
|
@@ -439,13 +624,17 @@ int define_common_perms(void)
|
|
perdatum->s.value = comdatum->permissions.nprim + 1;
|
|
|
|
if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) {
|
|
- yyerror("too many permissions to fit in an access vector");
|
|
+ yyerror
|
|
+ ("too many permissions to fit in an access vector");
|
|
goto bad_perm;
|
|
}
|
|
- ret = hashtab_insert(comdatum->permissions.table, (hashtab_key_t) perm, (hashtab_datum_t) perdatum);
|
|
+ ret = hashtab_insert(comdatum->permissions.table,
|
|
+ (hashtab_key_t) perm,
|
|
+ (hashtab_datum_t) perdatum);
|
|
|
|
if (ret == SEPOL_EEXIST) {
|
|
- yyerror2("duplicate permission %s in common %s", perm, id);
|
|
+ yyerror2("duplicate permission %s in common %s", perm,
|
|
+ id);
|
|
goto bad_perm;
|
|
}
|
|
if (ret == SEPOL_ENOMEM) {
|
|
@@ -491,7 +680,8 @@ int define_av_perms(int inherits)
|
|
yyerror("no tclass name for av perm definition?");
|
|
return -1;
|
|
}
|
|
- cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table, (hashtab_key_t) id);
|
|
+ cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table,
|
|
+ (hashtab_key_t) id);
|
|
if (!cladatum) {
|
|
yyerror2("class %s is not defined", id);
|
|
goto bad;
|
|
@@ -509,10 +699,14 @@ int define_av_perms(int inherits)
|
|
if (inherits) {
|
|
id = (char *)queue_remove(id_queue);
|
|
if (!id) {
|
|
- yyerror("no inherits name for access vector definition?");
|
|
+ yyerror
|
|
+ ("no inherits name for access vector definition?");
|
|
return -1;
|
|
}
|
|
- comdatum = (common_datum_t *) hashtab_search(policydbp->p_commons.table, (hashtab_key_t) id);
|
|
+ comdatum =
|
|
+ (common_datum_t *) hashtab_search(policydbp->p_commons.
|
|
+ table,
|
|
+ (hashtab_key_t) id);
|
|
|
|
if (!comdatum) {
|
|
yyerror2("common %s is not defined", id);
|
|
@@ -537,7 +731,8 @@ int define_av_perms(int inherits)
|
|
perdatum->s.value = ++cladatum->permissions.nprim;
|
|
|
|
if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) {
|
|
- yyerror("too many permissions to fit in an access vector");
|
|
+ yyerror
|
|
+ ("too many permissions to fit in an access vector");
|
|
goto bad;
|
|
}
|
|
if (inherits) {
|
|
@@ -546,13 +741,19 @@ int define_av_perms(int inherits)
|
|
* common permissions exist in the same
|
|
* name space.
|
|
*/
|
|
- perdatum2 = (perm_datum_t *) hashtab_search(cladatum->comdatum->permissions.table, (hashtab_key_t) id);
|
|
+ perdatum2 =
|
|
+ (perm_datum_t *) hashtab_search(cladatum->comdatum->
|
|
+ permissions.table,
|
|
+ (hashtab_key_t) id);
|
|
if (perdatum2) {
|
|
- yyerror2("permission %s conflicts with an " "inherited permission", id);
|
|
+ yyerror2("permission %s conflicts with an "
|
|
+ "inherited permission", id);
|
|
goto bad;
|
|
}
|
|
}
|
|
- ret = hashtab_insert(cladatum->permissions.table, (hashtab_key_t) id, (hashtab_datum_t) perdatum);
|
|
+ ret = hashtab_insert(cladatum->permissions.table,
|
|
+ (hashtab_key_t) id,
|
|
+ (hashtab_datum_t) perdatum);
|
|
|
|
if (ret == SEPOL_EEXIST) {
|
|
yyerror2("duplicate permission %s", id);
|
|
@@ -584,7 +785,7 @@ int define_sens(void)
|
|
mls_level_t *level = 0;
|
|
level_datum_t *datum = 0, *aliasdatum = 0;
|
|
int ret;
|
|
- uint32_t value; /* dummy variable -- its value is never used */
|
|
+ uint32_t value; /* dummy variable -- its value is never used */
|
|
|
|
if (!mlspol) {
|
|
yyerror("sensitivity definition in non-MLS configuration");
|
|
@@ -612,8 +813,8 @@ int define_sens(void)
|
|
goto bad;
|
|
}
|
|
mls_level_init(level);
|
|
- level->sens = 0; /* actual value set in define_dominance */
|
|
- ebitmap_init(&level->cat); /* actual value set in define_level */
|
|
+ level->sens = 0; /* actual value set in define_dominance */
|
|
+ ebitmap_init(&level->cat); /* actual value set in define_level */
|
|
|
|
datum = (level_datum_t *) malloc(sizeof(level_datum_t));
|
|
if (!datum) {
|
|
@@ -627,24 +828,24 @@ int define_sens(void)
|
|
ret = declare_symbol(SYM_LEVELS, id, datum, &value, &value);
|
|
switch (ret) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- goto bad;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ goto bad;
|
|
+ }
|
|
case -2:{
|
|
- yyerror("duplicate declaration of sensitivity level");
|
|
- goto bad;
|
|
- }
|
|
+ yyerror("duplicate declaration of sensitivity level");
|
|
+ goto bad;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not declare sensitivity level here");
|
|
- goto bad;
|
|
- }
|
|
+ yyerror("could not declare sensitivity level here");
|
|
+ goto bad;
|
|
+ }
|
|
case 0:
|
|
case 1:{
|
|
- break;
|
|
- }
|
|
+ break;
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
|
|
while ((id = queue_remove(id_queue))) {
|
|
@@ -664,24 +865,26 @@ int define_sens(void)
|
|
ret = declare_symbol(SYM_LEVELS, id, aliasdatum, NULL, &value);
|
|
switch (ret) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- goto bad_alias;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ goto bad_alias;
|
|
+ }
|
|
case -2:{
|
|
- yyerror("duplicate declaration of sensitivity alias");
|
|
- goto bad_alias;
|
|
- }
|
|
+ yyerror
|
|
+ ("duplicate declaration of sensitivity alias");
|
|
+ goto bad_alias;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not declare sensitivity alias here");
|
|
- goto bad_alias;
|
|
- }
|
|
+ yyerror
|
|
+ ("could not declare sensitivity alias here");
|
|
+ goto bad_alias;
|
|
+ }
|
|
case 0:
|
|
case 1:{
|
|
- break;
|
|
- }
|
|
+ break;
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
}
|
|
|
|
@@ -727,14 +930,18 @@ int define_dominance(void)
|
|
|
|
order = 0;
|
|
while ((id = (char *)queue_remove(id_queue))) {
|
|
- datum = (level_datum_t *) hashtab_search(policydbp->p_levels.table, (hashtab_key_t) id);
|
|
+ datum =
|
|
+ (level_datum_t *) hashtab_search(policydbp->p_levels.table,
|
|
+ (hashtab_key_t) id);
|
|
if (!datum) {
|
|
- yyerror2("unknown sensitivity %s used in dominance " "definition", id);
|
|
+ yyerror2("unknown sensitivity %s used in dominance "
|
|
+ "definition", id);
|
|
free(id);
|
|
return -1;
|
|
}
|
|
if (datum->level->sens != 0) {
|
|
- yyerror2("sensitivity %s occurs multiply in dominance " "definition", id);
|
|
+ yyerror2("sensitivity %s occurs multiply in dominance "
|
|
+ "definition", id);
|
|
free(id);
|
|
return -1;
|
|
}
|
|
@@ -745,7 +952,8 @@ int define_dominance(void)
|
|
}
|
|
|
|
if (order != policydbp->p_levels.nprim) {
|
|
- yyerror("all sensitivities must be specified in dominance definition");
|
|
+ yyerror
|
|
+ ("all sensitivities must be specified in dominance definition");
|
|
return -1;
|
|
}
|
|
return 0;
|
|
@@ -789,24 +997,24 @@ int define_category(void)
|
|
ret = declare_symbol(SYM_CATS, id, datum, &value, &value);
|
|
switch (ret) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- goto bad;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ goto bad;
|
|
+ }
|
|
case -2:{
|
|
- yyerror("duplicate declaration of category");
|
|
- goto bad;
|
|
- }
|
|
+ yyerror("duplicate declaration of category");
|
|
+ goto bad;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not declare category here");
|
|
- goto bad;
|
|
- }
|
|
+ yyerror("could not declare category here");
|
|
+ goto bad;
|
|
+ }
|
|
case 0:
|
|
case 1:{
|
|
- break;
|
|
- }
|
|
+ break;
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
datum->s.value = value;
|
|
|
|
@@ -824,27 +1032,31 @@ int define_category(void)
|
|
aliasdatum->isalias = TRUE;
|
|
aliasdatum->s.value = datum->s.value;
|
|
|
|
- ret = declare_symbol(SYM_CATS, id, aliasdatum, NULL, &datum->s.value);
|
|
+ ret =
|
|
+ declare_symbol(SYM_CATS, id, aliasdatum, NULL,
|
|
+ &datum->s.value);
|
|
switch (ret) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- goto bad_alias;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ goto bad_alias;
|
|
+ }
|
|
case -2:{
|
|
- yyerror("duplicate declaration of category aliases");
|
|
- goto bad_alias;
|
|
- }
|
|
+ yyerror
|
|
+ ("duplicate declaration of category aliases");
|
|
+ goto bad_alias;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not declare category aliases here");
|
|
- goto bad_alias;
|
|
- }
|
|
+ yyerror
|
|
+ ("could not declare category aliases here");
|
|
+ goto bad_alias;
|
|
+ }
|
|
case 0:
|
|
case 1:{
|
|
- break;
|
|
- }
|
|
+ break;
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
}
|
|
|
|
@@ -911,14 +1123,16 @@ int define_level(void)
|
|
yyerror("no level name for level definition?");
|
|
return -1;
|
|
}
|
|
- levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table, (hashtab_key_t) id);
|
|
+ levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table,
|
|
+ (hashtab_key_t) id);
|
|
if (!levdatum) {
|
|
yyerror2("unknown sensitivity %s used in level definition", id);
|
|
free(id);
|
|
return -1;
|
|
}
|
|
if (ebitmap_length(&levdatum->level->cat)) {
|
|
- yyerror2("sensitivity %s used in multiple level definitions", id);
|
|
+ yyerror2("sensitivity %s used in multiple level definitions",
|
|
+ id);
|
|
free(id);
|
|
return -1;
|
|
}
|
|
@@ -936,16 +1150,22 @@ int define_level(void)
|
|
|
|
*(id_end++) = '\0';
|
|
|
|
- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t)
|
|
- id_start);
|
|
+ cdatum =
|
|
+ (cat_datum_t *) hashtab_search(policydbp->p_cats.
|
|
+ table,
|
|
+ (hashtab_key_t)
|
|
+ id_start);
|
|
if (!cdatum) {
|
|
yyerror2("unknown category %s", id_start);
|
|
free(id);
|
|
return -1;
|
|
}
|
|
range_start = cdatum->s.value - 1;
|
|
- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t)
|
|
- id_end);
|
|
+ cdatum =
|
|
+ (cat_datum_t *) hashtab_search(policydbp->p_cats.
|
|
+ table,
|
|
+ (hashtab_key_t)
|
|
+ id_end);
|
|
if (!cdatum) {
|
|
yyerror2("unknown category %s", id_end);
|
|
free(id);
|
|
@@ -959,7 +1179,10 @@ int define_level(void)
|
|
return -1;
|
|
}
|
|
} else {
|
|
- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t) id);
|
|
+ cdatum =
|
|
+ (cat_datum_t *) hashtab_search(policydbp->p_cats.
|
|
+ table,
|
|
+ (hashtab_key_t) id);
|
|
range_start = range_end = cdatum->s.value - 1;
|
|
}
|
|
|
|
@@ -974,7 +1197,8 @@ int define_level(void)
|
|
free(id);
|
|
}
|
|
|
|
- if (hashtab_map(policydbp->p_levels.table, clone_level, levdatum->level)) {
|
|
+ if (hashtab_map
|
|
+ (policydbp->p_levels.table, clone_level, levdatum->level)) {
|
|
yyerror("out of memory");
|
|
return -1;
|
|
}
|
|
@@ -1003,7 +1227,8 @@ static int add_aliases_to_type(type_datum_t * type)
|
|
while ((id = queue_remove(id_queue))) {
|
|
if (id_has_dot(id)) {
|
|
free(id);
|
|
- yyerror("type alias identifiers may not contain periods");
|
|
+ yyerror
|
|
+ ("type alias identifiers may not contain periods");
|
|
return -1;
|
|
}
|
|
aliasdatum = (type_datum_t *) malloc(sizeof(type_datum_t));
|
|
@@ -1015,39 +1240,40 @@ static int add_aliases_to_type(type_datum_t * type)
|
|
memset(aliasdatum, 0, sizeof(type_datum_t));
|
|
aliasdatum->s.value = type->s.value;
|
|
|
|
- ret = declare_symbol(SYM_TYPES, id, aliasdatum, NULL, &aliasdatum->s.value);
|
|
+ ret = declare_symbol(SYM_TYPES, id, aliasdatum,
|
|
+ NULL, &aliasdatum->s.value);
|
|
switch (ret) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- goto cleanup;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ goto cleanup;
|
|
+ }
|
|
case -2:{
|
|
- yyerror2("duplicate declaration of alias %s", id);
|
|
- goto cleanup;
|
|
- }
|
|
+ yyerror2("duplicate declaration of alias %s",
|
|
+ id);
|
|
+ goto cleanup;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not declare alias here");
|
|
- goto cleanup;
|
|
- }
|
|
- case 0:
|
|
- break;
|
|
+ yyerror("could not declare alias here");
|
|
+ goto cleanup;
|
|
+ }
|
|
+ case 0: break;
|
|
case 1:{
|
|
- /* ret == 1 means the alias was required and therefore already
|
|
- * has a value. Set it up as an alias with a different primary. */
|
|
- type_datum_destroy(aliasdatum);
|
|
- free(aliasdatum);
|
|
+ /* ret == 1 means the alias was required and therefore already
|
|
+ * has a value. Set it up as an alias with a different primary. */
|
|
+ type_datum_destroy(aliasdatum);
|
|
+ free(aliasdatum);
|
|
|
|
- aliasdatum = hashtab_search(policydbp->symtab[SYM_TYPES].table, id);
|
|
- assert(aliasdatum);
|
|
+ aliasdatum = hashtab_search(policydbp->symtab[SYM_TYPES].table, id);
|
|
+ assert(aliasdatum);
|
|
|
|
- aliasdatum->primary = type->s.value;
|
|
- aliasdatum->flavor = TYPE_ALIAS;
|
|
+ aliasdatum->primary = type->s.value;
|
|
+ aliasdatum->flavor = TYPE_ALIAS;
|
|
|
|
- break;
|
|
- }
|
|
+ break;
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
}
|
|
return 0;
|
|
@@ -1082,11 +1308,11 @@ int define_typealias(void)
|
|
}
|
|
t = hashtab_search(policydbp->p_types.table, id);
|
|
if (!t || t->flavor == TYPE_ATTRIB) {
|
|
- yyerror2("unknown type %s, or it was already declared as an " "attribute", id);
|
|
+ yyerror2("unknown type %s, or it was already declared as an "
|
|
+ "attribute", id);
|
|
free(id);
|
|
return -1;
|
|
}
|
|
- free(id);
|
|
return add_aliases_to_type(t);
|
|
}
|
|
|
|
@@ -1118,7 +1344,6 @@ int define_typeattribute(void)
|
|
free(id);
|
|
return -1;
|
|
}
|
|
- free(id);
|
|
|
|
while ((id = queue_remove(id_queue))) {
|
|
if (!is_id_in_scope(SYM_TYPES, id)) {
|
|
@@ -1191,7 +1416,8 @@ static int define_typebounds_helper(char *bounds_id, char *type_id)
|
|
else if (type->bounds != bounds->s.value) {
|
|
yyerror2("type %s has inconsistent master {%s,%s}",
|
|
type_id,
|
|
- policydbp->p_type_val_to_name[type->bounds - 1], policydbp->p_type_val_to_name[bounds->s.value - 1]);
|
|
+ policydbp->p_type_val_to_name[type->bounds - 1],
|
|
+ policydbp->p_type_val_to_name[bounds->s.value - 1]);
|
|
return -1;
|
|
}
|
|
|
|
@@ -1200,15 +1426,18 @@ static int define_typebounds_helper(char *bounds_id, char *type_id)
|
|
|
|
int define_typebounds(void)
|
|
{
|
|
- char *bounds, *id;
|
|
+ char *id;
|
|
|
|
if (pass == 1) {
|
|
while ((id = queue_remove(id_queue)))
|
|
free(id);
|
|
return 0;
|
|
}
|
|
+/* Required for SETools libqpol */
|
|
+#ifdef HAVE_SEPOL_BOUNDARY
|
|
+ char *bounds;
|
|
|
|
- bounds = (char *)queue_remove(id_queue);
|
|
+ bounds = (char *) queue_remove(id_queue);
|
|
if (!bounds) {
|
|
yyerror("no type name for typebounds definition?");
|
|
return -1;
|
|
@@ -1222,13 +1451,15 @@ int define_typebounds(void)
|
|
free(bounds);
|
|
|
|
return 0;
|
|
+#else
|
|
+ yyerror("This version of SETools does not have typebounds enabled.");
|
|
+#endif
|
|
}
|
|
|
|
int define_type(int alias)
|
|
{
|
|
char *id;
|
|
type_datum_t *datum, *attr;
|
|
- int newattr = 0;
|
|
|
|
if (pass == 2) {
|
|
/*
|
|
@@ -1241,7 +1472,7 @@ int define_type(int alias)
|
|
|
|
if ((delim = strrchr(id, '.'))
|
|
&& (bounds = strdup(id))) {
|
|
- bounds[(size_t) (delim - id)] = '\0';
|
|
+ bounds[(size_t)(delim - id)] = '\0';
|
|
|
|
if (define_typebounds_helper(bounds, id))
|
|
return -1;
|
|
@@ -1281,8 +1512,6 @@ int define_type(int alias)
|
|
/* treat it as a fatal error */
|
|
yyerror2("attribute %s is not declared", id);
|
|
return -1;
|
|
- } else {
|
|
- newattr = 0;
|
|
}
|
|
|
|
if (attr->flavor != TYPE_ATTRIB) {
|
|
@@ -1304,8 +1533,7 @@ int define_type(int alias)
|
|
return 0;
|
|
}
|
|
|
|
-struct val_to_name
|
|
-{
|
|
+struct val_to_name {
|
|
unsigned int val;
|
|
char *name;
|
|
};
|
|
@@ -1379,7 +1607,6 @@ int define_compute_type_helper(int which, avrule_t ** rule)
|
|
{
|
|
char *id;
|
|
type_datum_t *datum;
|
|
- class_datum_t *cladatum;
|
|
ebitmap_t tclasses;
|
|
ebitmap_node_t *node;
|
|
avrule_t *avrule;
|
|
@@ -1397,32 +1624,17 @@ int define_compute_type_helper(int which, avrule_t ** rule)
|
|
|
|
while ((id = queue_remove(id_queue))) {
|
|
if (set_types(&avrule->stypes, id, &add, 0))
|
|
- return -1;
|
|
+ goto bad;
|
|
}
|
|
add = 1;
|
|
while ((id = queue_remove(id_queue))) {
|
|
if (set_types(&avrule->ttypes, id, &add, 0))
|
|
- return -1;
|
|
+ goto bad;
|
|
}
|
|
|
|
ebitmap_init(&tclasses);
|
|
- while ((id = queue_remove(id_queue))) {
|
|
- if (!is_id_in_scope(SYM_CLASSES, id)) {
|
|
- yyerror2("class %s is not within scope", id);
|
|
- free(id);
|
|
- goto bad;
|
|
- }
|
|
- cladatum = hashtab_search(policydbp->p_classes.table, id);
|
|
- if (!cladatum) {
|
|
- yyerror2("unknown class %s", id);
|
|
- goto bad;
|
|
- }
|
|
- if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
|
|
- yyerror("Out of memory");
|
|
- goto bad;
|
|
- }
|
|
- free(id);
|
|
- }
|
|
+ if (read_classes(&tclasses))
|
|
+ goto bad;
|
|
|
|
id = (char *)queue_remove(id_queue);
|
|
if (!id) {
|
|
@@ -1434,22 +1646,22 @@ int define_compute_type_helper(int which, avrule_t ** rule)
|
|
free(id);
|
|
goto bad;
|
|
}
|
|
- datum = (type_datum_t *) hashtab_search(policydbp->p_types.table, (hashtab_key_t) id);
|
|
+ datum = (type_datum_t *) hashtab_search(policydbp->p_types.table,
|
|
+ (hashtab_key_t) id);
|
|
if (!datum || datum->flavor == TYPE_ATTRIB) {
|
|
yyerror2("unknown type %s", id);
|
|
goto bad;
|
|
}
|
|
- free(id);
|
|
|
|
ebitmap_for_each_bit(&tclasses, node, i) {
|
|
if (ebitmap_node_get_bit(node, i)) {
|
|
perm = malloc(sizeof(class_perm_node_t));
|
|
if (!perm) {
|
|
yyerror("out of memory");
|
|
- return -1;
|
|
+ goto bad;
|
|
}
|
|
class_perm_node_init(perm);
|
|
- perm->class = i + 1;
|
|
+ perm->tclass = i + 1;
|
|
perm->data = datum->s.value;
|
|
perm->next = avrule->perms;
|
|
avrule->perms = perm;
|
|
@@ -1472,7 +1684,7 @@ int define_compute_type(int which)
|
|
avrule_t *avrule;
|
|
int retval;
|
|
|
|
- if (pass == 1 || (num_rules && !load_rules)) {
|
|
+ if (pass == 1 || (num_rules && !load_rules)) { /* Required for SETools libqpol */
|
|
while ((id = queue_remove(id_queue)))
|
|
free(id);
|
|
while ((id = queue_remove(id_queue)))
|
|
@@ -1519,7 +1731,7 @@ avrule_t *define_cond_compute_type(int which)
|
|
char *id;
|
|
avrule_t *avrule;
|
|
|
|
- if (pass == 1 || (num_rules && !load_rules)) {
|
|
+ if (pass == 1 || (num_rules && !load_rules)) { /* Required for SETools libqpol */
|
|
while ((id = queue_remove(id_queue)))
|
|
free(id);
|
|
while ((id = queue_remove(id_queue)))
|
|
@@ -1539,7 +1751,7 @@ avrule_t *define_cond_compute_type(int which)
|
|
return avrule;
|
|
}
|
|
|
|
-int define_bool(void)
|
|
+int define_bool_tunable(int is_tunable)
|
|
{
|
|
char *id, *bool_value;
|
|
cond_bool_datum_t *datum;
|
|
@@ -1569,27 +1781,29 @@ int define_bool(void)
|
|
return -1;
|
|
}
|
|
memset(datum, 0, sizeof(cond_bool_datum_t));
|
|
+ if (is_tunable)
|
|
+ datum->flags |= COND_BOOL_FLAGS_TUNABLE;
|
|
ret = declare_symbol(SYM_BOOLS, id, datum, &value, &value);
|
|
switch (ret) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- goto cleanup;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ goto cleanup;
|
|
+ }
|
|
case -2:{
|
|
- yyerror2("duplicate declaration of boolean %s", id);
|
|
- goto cleanup;
|
|
- }
|
|
+ yyerror2("duplicate declaration of boolean %s", id);
|
|
+ goto cleanup;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not declare boolean here");
|
|
- goto cleanup;
|
|
- }
|
|
+ yyerror("could not declare boolean here");
|
|
+ goto cleanup;
|
|
+ }
|
|
case 0:
|
|
case 1:{
|
|
- break;
|
|
- }
|
|
+ break;
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
datum->s.value = value;
|
|
|
|
@@ -1601,7 +1815,6 @@ int define_bool(void)
|
|
}
|
|
|
|
datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
|
|
- free(bool_value);
|
|
return 0;
|
|
cleanup:
|
|
cond_destroy_bool(id, datum, NULL);
|
|
@@ -1610,7 +1823,7 @@ int define_bool(void)
|
|
|
|
avrule_t *define_cond_pol_list(avrule_t * avlist, avrule_t * sl)
|
|
{
|
|
- if (pass == 1 || (num_rules && !load_rules)) {
|
|
+ if (pass == 1 || (num_rules && !load_rules)) { /* Required for SETools libqpol */
|
|
/* return something so we get through pass 1 */
|
|
return (avrule_t *) 1;
|
|
}
|
|
@@ -1649,7 +1862,9 @@ int define_te_avtab_helper(int which, avrule_t ** rule)
|
|
avrule->line = policydb_lineno;
|
|
|
|
while ((id = queue_remove(id_queue))) {
|
|
- if (set_types(&avrule->stypes, id, &add, which == AVRULE_NEVERALLOW ? 1 : 0)) {
|
|
+ if (set_types
|
|
+ (&avrule->stypes, id, &add,
|
|
+ which == AVRULE_NEVERALLOW ? 1 : 0)) {
|
|
ret = -1;
|
|
goto out;
|
|
}
|
|
@@ -1661,45 +1876,32 @@ int define_te_avtab_helper(int which, avrule_t ** rule)
|
|
avrule->flags |= RULE_SELF;
|
|
continue;
|
|
}
|
|
- if (set_types(&avrule->ttypes, id, &add, which == AVRULE_NEVERALLOW ? 1 : 0)) {
|
|
+ if (set_types
|
|
+ (&avrule->ttypes, id, &add,
|
|
+ which == AVRULE_NEVERALLOW ? 1 : 0)) {
|
|
ret = -1;
|
|
goto out;
|
|
}
|
|
}
|
|
|
|
ebitmap_init(&tclasses);
|
|
- while ((id = queue_remove(id_queue))) {
|
|
- if (!is_id_in_scope(SYM_CLASSES, id)) {
|
|
- yyerror2("class %s is not within scope", id);
|
|
- ret = -1;
|
|
- goto out;
|
|
- }
|
|
- cladatum = hashtab_search(policydbp->p_classes.table, id);
|
|
- if (!cladatum) {
|
|
- yyerror2("unknown class %s used in rule", id);
|
|
- ret = -1;
|
|
- goto out;
|
|
- }
|
|
- if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
|
|
- yyerror("Out of memory");
|
|
- ret = -1;
|
|
- goto out;
|
|
- }
|
|
- free(id);
|
|
- }
|
|
+ ret = read_classes(&tclasses);
|
|
+ if (ret)
|
|
+ goto out;
|
|
|
|
perms = NULL;
|
|
ebitmap_for_each_bit(&tclasses, node, i) {
|
|
if (!ebitmap_node_get_bit(node, i))
|
|
continue;
|
|
- cur_perms = (class_perm_node_t *) malloc(sizeof(class_perm_node_t));
|
|
+ cur_perms =
|
|
+ (class_perm_node_t *) malloc(sizeof(class_perm_node_t));
|
|
if (!cur_perms) {
|
|
yyerror("out of memory");
|
|
ret = -1;
|
|
goto out;
|
|
}
|
|
class_perm_node_init(cur_perms);
|
|
- cur_perms->class = i + 1;
|
|
+ cur_perms->tclass = i + 1;
|
|
if (!perms)
|
|
perms = cur_perms;
|
|
if (tail)
|
|
@@ -1728,21 +1930,29 @@ int define_te_avtab_helper(int which, avrule_t ** rule)
|
|
goto next;
|
|
}
|
|
|
|
- perdatum = hashtab_search(cladatum->permissions.table, id);
|
|
+ perdatum =
|
|
+ hashtab_search(cladatum->permissions.table, id);
|
|
if (!perdatum) {
|
|
if (cladatum->comdatum) {
|
|
- perdatum = hashtab_search(cladatum->comdatum->permissions.table, id);
|
|
+ perdatum =
|
|
+ hashtab_search(cladatum->comdatum->
|
|
+ permissions.table,
|
|
+ id);
|
|
}
|
|
}
|
|
if (!perdatum) {
|
|
if (!suppress)
|
|
yyerror2("permission %s is not defined"
|
|
- " for class %s", id, policydbp->p_class_val_to_name[i]);
|
|
+ " for class %s", id,
|
|
+ policydbp->p_class_val_to_name[i]);
|
|
continue;
|
|
- } else if (!is_perm_in_scope(id, policydbp->p_class_val_to_name[i])) {
|
|
+ } else
|
|
+ if (!is_perm_in_scope
|
|
+ (id, policydbp->p_class_val_to_name[i])) {
|
|
if (!suppress) {
|
|
yyerror2("permission %s of class %s is"
|
|
- " not within scope", id, policydbp->p_class_val_to_name[i]);
|
|
+ " not within scope", id,
|
|
+ policydbp->p_class_val_to_name[i]);
|
|
}
|
|
continue;
|
|
} else {
|
|
@@ -1765,70 +1975,216 @@ int define_te_avtab_helper(int which, avrule_t ** rule)
|
|
|
|
}
|
|
|
|
-avrule_t *define_cond_te_avtab(int which)
|
|
+avrule_t *define_cond_te_avtab(int which)
|
|
+{
|
|
+ char *id;
|
|
+ avrule_t *avrule;
|
|
+ int i;
|
|
+
|
|
+ if (pass == 1 || (num_rules && !load_rules)) { /* Required for SETools libqpol */
|
|
+ for (i = 0; i < 4; i++) {
|
|
+ while ((id = queue_remove(id_queue)))
|
|
+ free(id);
|
|
+ }
|
|
+ return (avrule_t *) 1; /* any non-NULL value */
|
|
+ }
|
|
+
|
|
+ num_rules++;
|
|
+
|
|
+ if (define_te_avtab_helper(which, &avrule))
|
|
+ return COND_ERR;
|
|
+
|
|
+ return avrule;
|
|
+}
|
|
+
|
|
+int define_te_avtab(int which)
|
|
+{
|
|
+ char *id;
|
|
+ avrule_t *avrule;
|
|
+ int i;
|
|
+
|
|
+ if (pass == 1 || (num_rules && !load_rules)) { /* Required for SETools libqpol */
|
|
+ for (i = 0; i < 4; i++) {
|
|
+ while ((id = queue_remove(id_queue)))
|
|
+ free(id);
|
|
+ }
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ num_rules++;
|
|
+
|
|
+ if (define_te_avtab_helper(which, &avrule))
|
|
+ return -1;
|
|
+
|
|
+ /* append this avrule to the end of the current rules list */
|
|
+ append_avrule(avrule);
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+/* The role-types rule is no longer used to declare regular role or
|
|
+ * role attribute, but solely aimed for declaring role-types associations.
|
|
+ */
|
|
+int define_role_types(void)
|
|
+{
|
|
+ role_datum_t *role;
|
|
+ char *id;
|
|
+ int add = 1;
|
|
+
|
|
+ if (pass == 1) {
|
|
+ while ((id = queue_remove(id_queue)))
|
|
+ free(id);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ id = (char *)queue_remove(id_queue);
|
|
+ if (!id) {
|
|
+ yyerror("no role name for role-types rule?");
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (!is_id_in_scope(SYM_ROLES, id)) {
|
|
+ yyerror2("role %s is not within scope", id);
|
|
+ free(id);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ role = hashtab_search(policydbp->p_roles.table, id);
|
|
+ if (!role) {
|
|
+ yyerror2("unknown role %s", id);
|
|
+ free(id);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ while ((id = queue_remove(id_queue))) {
|
|
+ if (set_types(&role->types, id, &add, 0))
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+int define_attrib_role(void)
|
|
{
|
|
- char *id;
|
|
- avrule_t *avrule;
|
|
- int i;
|
|
-
|
|
- if (pass == 1 || (num_rules && !load_rules)) {
|
|
- for (i = 0; i < 4; i++) {
|
|
- while ((id = queue_remove(id_queue)))
|
|
- free(id);
|
|
- }
|
|
- return (avrule_t *) 1; /* any non-NULL value */
|
|
+ if (pass == 2) {
|
|
+ free(queue_remove(id_queue));
|
|
+ return 0;
|
|
}
|
|
|
|
- num_rules++;
|
|
-
|
|
- if (define_te_avtab_helper(which, &avrule))
|
|
- return COND_ERR;
|
|
+ /* Declare a role attribute */
|
|
+ if (declare_role(TRUE) == NULL)
|
|
+ return -1;
|
|
|
|
- return avrule;
|
|
+ return 0;
|
|
}
|
|
|
|
-int define_te_avtab(int which)
|
|
+int define_role_attr(void)
|
|
{
|
|
char *id;
|
|
- avrule_t *avrule;
|
|
- int i;
|
|
+ role_datum_t *r, *attr;
|
|
|
|
- if (pass == 1 || (num_rules && !load_rules)) {
|
|
- for (i = 0; i < 4; i++) {
|
|
- while ((id = queue_remove(id_queue)))
|
|
- free(id);
|
|
- }
|
|
+ if (pass == 2) {
|
|
+ while ((id = queue_remove(id_queue)))
|
|
+ free(id);
|
|
return 0;
|
|
}
|
|
+
|
|
+ /* Declare a regular role */
|
|
+ if ((r = declare_role(FALSE)) == NULL)
|
|
+ return -1;
|
|
|
|
- num_rules++;
|
|
+ while ((id = queue_remove(id_queue))) {
|
|
+ if (!is_id_in_scope(SYM_ROLES, id)) {
|
|
+ yyerror2("attribute %s is not within scope", id);
|
|
+ free(id);
|
|
+ return -1;
|
|
+ }
|
|
+ attr = hashtab_search(policydbp->p_roles.table, id);
|
|
+ if (!attr) {
|
|
+ /* treat it as a fatal error */
|
|
+ yyerror2("role attribute %s is not declared", id);
|
|
+ free(id);
|
|
+ return -1;
|
|
+ }
|
|
|
|
- if (define_te_avtab_helper(which, &avrule))
|
|
- return -1;
|
|
+ if (attr->flavor != ROLE_ATTRIB) {
|
|
+ yyerror2("%s is a regular role, not an attribute", id);
|
|
+ free(id);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if ((attr = get_local_role(id, attr->s.value, 1)) == NULL) {
|
|
+ yyerror("Out of memory!");
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (ebitmap_set_bit(&attr->roles, (r->s.value - 1), TRUE)) {
|
|
+ yyerror("out of memory");
|
|
+ return -1;
|
|
+ }
|
|
+ }
|
|
|
|
- /* append this avrule to the end of the current rules list */
|
|
- append_avrule(avrule);
|
|
return 0;
|
|
}
|
|
|
|
-int define_role_types(void)
|
|
+int define_roleattribute(void)
|
|
{
|
|
- role_datum_t *role;
|
|
char *id;
|
|
- int add = 1;
|
|
+ role_datum_t *r, *attr;
|
|
|
|
- if (pass == 1) {
|
|
+ if (pass == 2) {
|
|
while ((id = queue_remove(id_queue)))
|
|
free(id);
|
|
return 0;
|
|
}
|
|
|
|
- if ((role = declare_role()) == NULL) {
|
|
+ id = (char *)queue_remove(id_queue);
|
|
+ if (!id) {
|
|
+ yyerror("no role name for roleattribute definition?");
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (!is_id_in_scope(SYM_ROLES, id)) {
|
|
+ yyerror2("role %s is not within scope", id);
|
|
+ free(id);
|
|
+ return -1;
|
|
+ }
|
|
+ r = hashtab_search(policydbp->p_roles.table, id);
|
|
+ /* We support adding one role attribute into another */
|
|
+ if (!r) {
|
|
+ yyerror2("unknown role %s", id);
|
|
+ free(id);
|
|
return -1;
|
|
}
|
|
+
|
|
while ((id = queue_remove(id_queue))) {
|
|
- if (set_types(&role->types, id, &add, 0))
|
|
+ if (!is_id_in_scope(SYM_ROLES, id)) {
|
|
+ yyerror2("attribute %s is not within scope", id);
|
|
+ free(id);
|
|
+ return -1;
|
|
+ }
|
|
+ attr = hashtab_search(policydbp->p_roles.table, id);
|
|
+ if (!attr) {
|
|
+ /* treat it as a fatal error */
|
|
+ yyerror2("role attribute %s is not declared", id);
|
|
+ free(id);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (attr->flavor != ROLE_ATTRIB) {
|
|
+ yyerror2("%s is a regular role, not an attribute", id);
|
|
+ free(id);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if ((attr = get_local_role(id, attr->s.value, 1)) == NULL) {
|
|
+ yyerror("Out of memory!");
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (ebitmap_set_bit(&attr->roles, (r->s.value - 1), TRUE)) {
|
|
+ yyerror("out of memory");
|
|
return -1;
|
|
+ }
|
|
}
|
|
|
|
return 0;
|
|
@@ -1848,13 +2204,15 @@ role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2)
|
|
return NULL;
|
|
}
|
|
memset(new, 0, sizeof(role_datum_t));
|
|
- new->s.value = 0; /* temporary role */
|
|
+ new->s.value = 0; /* temporary role */
|
|
if (ebitmap_or(&new->dominates, &r1->dominates, &r2->dominates)) {
|
|
yyerror("out of memory");
|
|
+ free(new);
|
|
return NULL;
|
|
}
|
|
if (ebitmap_or(&new->types.types, &r1->types.types, &r2->types.types)) {
|
|
yyerror("out of memory");
|
|
+ free(new);
|
|
return NULL;
|
|
}
|
|
if (!r1->s.value) {
|
|
@@ -1874,7 +2232,8 @@ role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2)
|
|
}
|
|
|
|
/* This function eliminates the ordering dependency of role dominance rule */
|
|
-static int dominate_role_recheck(hashtab_key_t key, hashtab_datum_t datum, void *arg)
|
|
+static int dominate_role_recheck(hashtab_key_t key, hashtab_datum_t datum,
|
|
+ void *arg)
|
|
{
|
|
role_datum_t *rdp = (role_datum_t *) arg;
|
|
role_datum_t *rdatum = (role_datum_t *) datum;
|
|
@@ -1896,12 +2255,14 @@ static int dominate_role_recheck(hashtab_key_t key, hashtab_datum_t datum, void
|
|
/* raise types and dominates from dominated role */
|
|
ebitmap_for_each_bit(&rdp->dominates, node, i) {
|
|
if (ebitmap_node_get_bit(node, i))
|
|
- if (ebitmap_set_bit(&rdatum->dominates, i, TRUE))
|
|
+ if (ebitmap_set_bit
|
|
+ (&rdatum->dominates, i, TRUE))
|
|
goto oom;
|
|
}
|
|
ebitmap_for_each_bit(&types, node, i) {
|
|
if (ebitmap_node_get_bit(node, i))
|
|
- if (ebitmap_set_bit(&rdatum->types.types, i, TRUE))
|
|
+ if (ebitmap_set_bit
|
|
+ (&rdatum->types.types, i, TRUE))
|
|
goto oom;
|
|
}
|
|
ebitmap_destroy(&types);
|
|
@@ -1936,7 +2297,8 @@ role_datum_t *define_role_dom(role_datum_t * r)
|
|
free(role_id);
|
|
return NULL;
|
|
}
|
|
- role = (role_datum_t *) hashtab_search(policydbp->p_roles.table, role_id);
|
|
+ role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
|
|
+ role_id);
|
|
if (!role) {
|
|
role = (role_datum_t *) malloc(sizeof(role_datum_t));
|
|
if (!role) {
|
|
@@ -1945,27 +2307,31 @@ role_datum_t *define_role_dom(role_datum_t * r)
|
|
return NULL;
|
|
}
|
|
memset(role, 0, sizeof(role_datum_t));
|
|
- ret = declare_symbol(SYM_ROLES, (hashtab_key_t) role_id, (hashtab_datum_t) role, &role->s.value, &role->s.value);
|
|
+ ret =
|
|
+ declare_symbol(SYM_ROLES, (hashtab_key_t) role_id,
|
|
+ (hashtab_datum_t) role, &role->s.value,
|
|
+ &role->s.value);
|
|
switch (ret) {
|
|
case -3:{
|
|
- yyerror("Out of memory!");
|
|
- goto cleanup;
|
|
- }
|
|
+ yyerror("Out of memory!");
|
|
+ goto cleanup;
|
|
+ }
|
|
case -2:{
|
|
- yyerror2("duplicate declaration of role %s", role_id);
|
|
- goto cleanup;
|
|
- }
|
|
+ yyerror2("duplicate declaration of role %s",
|
|
+ role_id);
|
|
+ goto cleanup;
|
|
+ }
|
|
case -1:{
|
|
- yyerror("could not declare role here");
|
|
- goto cleanup;
|
|
- }
|
|
+ yyerror("could not declare role here");
|
|
+ goto cleanup;
|
|
+ }
|
|
case 0:
|
|
case 1:{
|
|
- break;
|
|
- }
|
|
+ break;
|
|
+ }
|
|
default:{
|
|
- assert(0); /* should never get here */
|
|
- }
|
|
+ assert(0); /* should never get here */
|
|
+ }
|
|
}
|
|
if (ebitmap_set_bit(&role->dominates, role->s.value - 1, TRUE)) {
|
|
yyerror("Out of memory!");
|
|
@@ -1986,7 +2352,8 @@ role_datum_t *define_role_dom(role_datum_t * r)
|
|
}
|
|
ebitmap_for_each_bit(&types, node, i) {
|
|
if (ebitmap_node_get_bit(node, i))
|
|
- if (ebitmap_set_bit(&role->types.types, i, TRUE))
|
|
+ if (ebitmap_set_bit
|
|
+ (&role->types.types, i, TRUE))
|
|
goto oom;
|
|
}
|
|
ebitmap_destroy(&types);
|
|
@@ -2000,7 +2367,8 @@ role_datum_t *define_role_dom(role_datum_t * r)
|
|
* Now go through all the roles and escalate this role's
|
|
* dominates and types if a role dominates this role.
|
|
*/
|
|
- hashtab_map(policydbp->p_roles.table, dominate_role_recheck, role);
|
|
+ hashtab_map(policydbp->p_roles.table,
|
|
+ dominate_role_recheck, role);
|
|
}
|
|
return role;
|
|
cleanup:
|
|
@@ -2013,7 +2381,8 @@ role_datum_t *define_role_dom(role_datum_t * r)
|
|
goto cleanup;
|
|
}
|
|
|
|
-static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum, void *p)
|
|
+static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum,
|
|
+ void *p)
|
|
{
|
|
struct val_to_name *v = p;
|
|
role_datum_t *roldatum;
|
|
@@ -2076,17 +2445,18 @@ static int set_roles(role_set_t * set, char *id)
|
|
return 0;
|
|
}
|
|
|
|
-int define_role_trans(void)
|
|
+int define_role_trans(int class_specified)
|
|
{
|
|
char *id;
|
|
role_datum_t *role;
|
|
role_set_t roles;
|
|
type_set_t types;
|
|
- ebitmap_t e_types, e_roles;
|
|
- ebitmap_node_t *tnode, *rnode;
|
|
+ class_datum_t *cladatum;
|
|
+ ebitmap_t e_types, e_roles, e_classes;
|
|
+ ebitmap_node_t *tnode, *rnode, *cnode;
|
|
struct role_trans *tr = NULL;
|
|
struct role_trans_rule *rule = NULL;
|
|
- unsigned int i, j;
|
|
+ unsigned int i, j, k;
|
|
int add = 1;
|
|
|
|
if (pass == 1) {
|
|
@@ -2094,6 +2464,9 @@ int define_role_trans(void)
|
|
free(id);
|
|
while ((id = queue_remove(id_queue)))
|
|
free(id);
|
|
+ if (class_specified)
|
|
+ while ((id = queue_remove(id_queue)))
|
|
+ free(id);
|
|
id = queue_remove(id_queue);
|
|
free(id);
|
|
return 0;
|
|
@@ -2103,6 +2476,7 @@ int define_role_trans(void)
|
|
ebitmap_init(&e_roles);
|
|
type_set_init(&types);
|
|
ebitmap_init(&e_types);
|
|
+ ebitmap_init(&e_classes);
|
|
|
|
while ((id = queue_remove(id_queue))) {
|
|
if (set_roles(&roles, id))
|
|
@@ -2114,6 +2488,24 @@ int define_role_trans(void)
|
|
return -1;
|
|
}
|
|
|
|
+ if (class_specified) {
|
|
+ if (read_classes(&e_classes))
|
|
+ return -1;
|
|
+ } else {
|
|
+ cladatum = hashtab_search(policydbp->p_classes.table,
|
|
+ "process");
|
|
+ if (!cladatum) {
|
|
+ yyerror2("could not find process class for "
|
|
+ "legacy role_transition statement");
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE)) {
|
|
+ yyerror("out of memory");
|
|
+ return -1;
|
|
+ }
|
|
+ }
|
|
+
|
|
id = (char *)queue_remove(id_queue);
|
|
if (!id) {
|
|
yyerror("no new role in transition definition?");
|
|
@@ -2129,9 +2521,14 @@ int define_role_trans(void)
|
|
yyerror2("unknown role %s used in transition definition", id);
|
|
goto bad;
|
|
}
|
|
- free(id);
|
|
+
|
|
+ if (role->flavor != ROLE_ROLE) {
|
|
+ yyerror2("the new role %s must be a regular role", id);
|
|
+ goto bad;
|
|
+ }
|
|
|
|
/* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
|
|
+/* Required for SETools libqpol */
|
|
#ifdef HAVE_SEPOL_ROLE_ATTRS
|
|
if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
|
|
#elif HAVE_SEPOL_USER_ROLE_MAPPING
|
|
@@ -2150,26 +2547,37 @@ int define_role_trans(void)
|
|
ebitmap_for_each_bit(&e_types, tnode, j) {
|
|
if (!ebitmap_node_get_bit(tnode, j))
|
|
continue;
|
|
-
|
|
- for (tr = policydbp->role_tr; tr; tr = tr->next) {
|
|
- if (tr->role == (i + 1) && tr->type == (j + 1)) {
|
|
- yyerror2("duplicate role transition for (%s,%s)",
|
|
- role_val_to_name(i + 1), policydbp->p_type_val_to_name[j]);
|
|
- goto bad;
|
|
+ ebitmap_for_each_bit(&e_classes, cnode, k) {
|
|
+ if (!ebitmap_node_get_bit(cnode, k))
|
|
+ continue;
|
|
+ for (tr = policydbp->role_tr; tr;
|
|
+ tr = tr->next) {
|
|
+ if (tr->role == (i + 1) &&
|
|
+ tr->type == (j + 1) &&
|
|
+ tr->tclass == (k + 1)) {
|
|
+ yyerror2("duplicate role "
|
|
+ "transition for "
|
|
+ "(%s,%s,%s)",
|
|
+ role_val_to_name(i+1),
|
|
+ policydbp->p_type_val_to_name[j],
|
|
+ policydbp->p_class_val_to_name[k]);
|
|
+ goto bad;
|
|
+ }
|
|
}
|
|
- }
|
|
|
|
- tr = malloc(sizeof(struct role_trans));
|
|
- if (!tr) {
|
|
- yyerror("out of memory");
|
|
- return -1;
|
|
+ tr = malloc(sizeof(struct role_trans));
|
|
+ if (!tr) {
|
|
+ yyerror("out of memory");
|
|
+ return -1;
|
|
+ }
|
|
+ memset(tr, 0, sizeof(struct role_trans));
|
|
+ tr->role = i + 1;
|
|
+ tr->type = j + 1;
|
|
+ tr->tclass = k + 1;
|
|
+ tr->new_role = role->s.value;
|
|
+ tr->next = policydbp->role_tr;
|
|
+ policydbp->role_tr = tr;
|
|
}
|
|
- memset(tr, 0, sizeof(struct role_trans));
|
|
- tr->role = i + 1;
|
|
- tr->type = j + 1;
|
|
- tr->new_role = role->s.value;
|
|
- tr->next = policydbp->role_tr;
|
|
- policydbp->role_tr = tr;
|
|
}
|
|
}
|
|
/* Now add the real rule */
|
|
@@ -2181,6 +2589,7 @@ int define_role_trans(void)
|
|
memset(rule, 0, sizeof(struct role_trans_rule));
|
|
rule->roles = roles;
|
|
rule->types = types;
|
|
+ rule->classes = e_classes;
|
|
rule->new_role = role->s.value;
|
|
|
|
append_role_trans(rule);
|
|
@@ -2215,13 +2624,17 @@ int define_role_allow(void)
|
|
role_allow_rule_init(ra);
|
|
|
|
while ((id = queue_remove(id_queue))) {
|
|
- if (set_roles(&ra->roles, id))
|
|
+ if (set_roles(&ra->roles, id)) {
|
|
+ free(ra);
|
|
return -1;
|
|
+ }
|
|
}
|
|
|
|
while ((id = queue_remove(id_queue))) {
|
|
- if (set_roles(&ra->new_roles, id))
|
|
+ if (set_roles(&ra->new_roles, id)) {
|
|
+ free(ra);
|
|
return -1;
|
|
+ }
|
|
}
|
|
|
|
append_role_allow(ra);
|
|
@@ -2237,18 +2650,7 @@ avrule_t *define_cond_filename_trans(void)
|
|
|
|
int define_filename_trans(void)
|
|
{
|
|
- char *id, *name = NULL;
|
|
- type_set_t stypes, ttypes;
|
|
- ebitmap_t e_stypes, e_ttypes;
|
|
- ebitmap_t e_tclasses;
|
|
- ebitmap_node_t *snode, *tnode, *cnode;
|
|
- filename_trans_t *ft;
|
|
- filename_trans_rule_t *ftr;
|
|
- class_datum_t *cladatum;
|
|
- type_datum_t *typdatum;
|
|
- uint32_t otype;
|
|
- unsigned int c, s, t;
|
|
- int add;
|
|
+ char *id;
|
|
|
|
if (pass == 1) {
|
|
/* stype */
|
|
@@ -2268,7 +2670,19 @@ int define_filename_trans(void)
|
|
free(id);
|
|
return 0;
|
|
}
|
|
-
|
|
+/* Required for SETools libqpol */
|
|
+#ifdef HAVE_SEPOL_FILENAME_TRANS
|
|
+ char *name = NULL;
|
|
+ type_set_t stypes, ttypes;
|
|
+ ebitmap_t e_stypes, e_ttypes;
|
|
+ ebitmap_t e_tclasses;
|
|
+ ebitmap_node_t *snode, *tnode, *cnode;
|
|
+ filename_trans_t *ft;
|
|
+ filename_trans_rule_t *ftr;
|
|
+ type_datum_t *typdatum;
|
|
+ uint32_t otype;
|
|
+ unsigned int c, s, t;
|
|
+ int add;
|
|
|
|
add = 1;
|
|
type_set_init(&stypes);
|
|
@@ -2285,23 +2699,8 @@ int define_filename_trans(void)
|
|
}
|
|
|
|
ebitmap_init(&e_tclasses);
|
|
- while ((id = queue_remove(id_queue))) {
|
|
- if (!is_id_in_scope(SYM_CLASSES, id)) {
|
|
- yyerror2("class %s is not within scope", id);
|
|
- free(id);
|
|
- goto bad;
|
|
- }
|
|
- cladatum = hashtab_search(policydbp->p_classes.table, id);
|
|
- if (!cladatum) {
|
|
- yyerror2("unknown class %s", id);
|
|
- goto bad;
|
|
- }
|
|
- if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) {
|
|
- yyerror("Out of memory");
|
|
- goto bad;
|
|
- }
|
|
- free(id);
|
|
- }
|
|
+ if (read_classes(&e_tclasses))
|
|
+ goto bad;
|
|
|
|
id = (char *)queue_remove(id_queue);
|
|
if (!id) {
|
|
@@ -2360,8 +2759,7 @@ int define_filename_trans(void)
|
|
policydbp->p_class_val_to_name[c]);
|
|
goto bad;
|
|
}
|
|
- }
|
|
-
|
|
+ }
|
|
ft = malloc(sizeof(*ft));
|
|
if (!ft) {
|
|
yyerror("out of memory");
|
|
@@ -2383,7 +2781,6 @@ int define_filename_trans(void)
|
|
ft->otype = otype;
|
|
}
|
|
}
|
|
-
|
|
/* Now add the real rule since we didn't find any duplicates */
|
|
ftr = malloc(sizeof(*ftr));
|
|
if (!ftr) {
|
|
@@ -2410,6 +2807,9 @@ int define_filename_trans(void)
|
|
bad:
|
|
free(name);
|
|
return -1;
|
|
+#else
|
|
+ yyerror("This version of SETools does not have filename type_transition rules enabled.");
|
|
+#endif
|
|
}
|
|
|
|
static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr)
|
|
@@ -2433,7 +2833,8 @@ static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr)
|
|
newe->op = e->op;
|
|
if (newe->expr_type == CEXPR_NAMES) {
|
|
if (newe->attr & CEXPR_TYPE) {
|
|
- if (type_set_cpy(newe->type_names, e->type_names))
|
|
+ if (type_set_cpy
|
|
+ (newe->type_names, e->type_names))
|
|
goto oom;
|
|
} else {
|
|
if (ebitmap_cpy(&newe->names, &e->names))
|
|
@@ -2520,7 +2921,9 @@ int define_constraint(constraint_expr_t * expr)
|
|
free(id);
|
|
return -1;
|
|
}
|
|
- cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table, (hashtab_key_t) id);
|
|
+ cladatum =
|
|
+ (class_datum_t *) hashtab_search(policydbp->p_classes.table,
|
|
+ (hashtab_key_t) id);
|
|
if (!cladatum) {
|
|
yyerror2("class %s is not defined", id);
|
|
ebitmap_destroy(&classmap);
|
|
@@ -2536,6 +2939,7 @@ int define_constraint(constraint_expr_t * expr)
|
|
node = malloc(sizeof(struct constraint_node));
|
|
if (!node) {
|
|
yyerror("out of memory");
|
|
+ free(node);
|
|
return -1;
|
|
}
|
|
memset(node, 0, sizeof(constraint_node_t));
|
|
@@ -2547,6 +2951,7 @@ int define_constraint(constraint_expr_t * expr)
|
|
}
|
|
if (!node->expr) {
|
|
yyerror("out of memory");
|
|
+ free(node);
|
|
return -1;
|
|
}
|
|
node->permissions = 0;
|
|
@@ -2563,22 +2968,33 @@ int define_constraint(constraint_expr_t * expr)
|
|
cladatum = policydbp->class_val_to_struct[i];
|
|
node = cladatum->constraints;
|
|
|
|
- perdatum = (perm_datum_t *) hashtab_search(cladatum->permissions.table, (hashtab_key_t)
|
|
- id);
|
|
+ perdatum =
|
|
+ (perm_datum_t *) hashtab_search(cladatum->
|
|
+ permissions.
|
|
+ table,
|
|
+ (hashtab_key_t)
|
|
+ id);
|
|
if (!perdatum) {
|
|
if (cladatum->comdatum) {
|
|
- perdatum = (perm_datum_t *)
|
|
- hashtab_search(cladatum->comdatum->permissions.table, (hashtab_key_t)
|
|
- id);
|
|
+ perdatum =
|
|
+ (perm_datum_t *)
|
|
+ hashtab_search(cladatum->
|
|
+ comdatum->
|
|
+ permissions.
|
|
+ table,
|
|
+ (hashtab_key_t)
|
|
+ id);
|
|
}
|
|
if (!perdatum) {
|
|
- yyerror2("permission %s is not" " defined", id);
|
|
+ yyerror2("permission %s is not"
|
|
+ " defined", id);
|
|
free(id);
|
|
ebitmap_destroy(&classmap);
|
|
return -1;
|
|
}
|
|
}
|
|
- node->permissions |= (1 << (perdatum->s.value - 1));
|
|
+ node->permissions |=
|
|
+ (1 << (perdatum->s.value - 1));
|
|
}
|
|
}
|
|
free(id);
|
|
@@ -2647,7 +3063,9 @@ int define_validatetrans(constraint_expr_t * expr)
|
|
free(id);
|
|
return -1;
|
|
}
|
|
- cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table, (hashtab_key_t) id);
|
|
+ cladatum =
|
|
+ (class_datum_t *) hashtab_search(policydbp->p_classes.table,
|
|
+ (hashtab_key_t) id);
|
|
if (!cladatum) {
|
|
yyerror2("class %s is not defined", id);
|
|
ebitmap_destroy(&classmap);
|
|
@@ -2701,10 +3119,11 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
|
|
while ((id = queue_remove(id_queue)))
|
|
free(id);
|
|
}
|
|
- return 1; /* any non-NULL value */
|
|
+ return 1; /* any non-NULL value */
|
|
}
|
|
|
|
- if ((expr = malloc(sizeof(*expr))) == NULL || constraint_expr_init(expr) == -1) {
|
|
+ if ((expr = malloc(sizeof(*expr))) == NULL ||
|
|
+ constraint_expr_init(expr) == -1) {
|
|
yyerror("out of memory");
|
|
free(expr);
|
|
return 0;
|
|
@@ -2766,12 +3185,17 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
|
|
while ((id = (char *)queue_remove(id_queue))) {
|
|
if (expr->attr & CEXPR_USER) {
|
|
if (!is_id_in_scope(SYM_USERS, id)) {
|
|
- yyerror2("user %s is not within scope", id);
|
|
+ yyerror2("user %s is not within scope",
|
|
+ id);
|
|
constraint_expr_destroy(expr);
|
|
return 0;
|
|
}
|
|
- user = (user_datum_t *) hashtab_search(policydbp->p_users.table, (hashtab_key_t)
|
|
- id);
|
|
+ user =
|
|
+ (user_datum_t *) hashtab_search(policydbp->
|
|
+ p_users.
|
|
+ table,
|
|
+ (hashtab_key_t)
|
|
+ id);
|
|
if (!user) {
|
|
yyerror2("unknown user %s", id);
|
|
constraint_expr_destroy(expr);
|
|
@@ -2780,12 +3204,17 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
|
|
val = user->s.value;
|
|
} else if (expr->attr & CEXPR_ROLE) {
|
|
if (!is_id_in_scope(SYM_ROLES, id)) {
|
|
- yyerror2("role %s is not within scope", id);
|
|
+ yyerror2("role %s is not within scope",
|
|
+ id);
|
|
constraint_expr_destroy(expr);
|
|
return 0;
|
|
}
|
|
- role = (role_datum_t *) hashtab_search(policydbp->p_roles.table, (hashtab_key_t)
|
|
- id);
|
|
+ role =
|
|
+ (role_datum_t *) hashtab_search(policydbp->
|
|
+ p_roles.
|
|
+ table,
|
|
+ (hashtab_key_t)
|
|
+ id);
|
|
if (!role) {
|
|
yyerror2("unknown role %s", id);
|
|
constraint_expr_destroy(expr);
|
|
@@ -2814,22 +3243,19 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
|
|
ebitmap_destroy(&negset);
|
|
return (uintptr_t) expr;
|
|
default:
|
|
- yyerror("invalid constraint expression");
|
|
- constraint_expr_destroy(expr);
|
|
- return 0;
|
|
+ break;
|
|
}
|
|
|
|
yyerror("invalid constraint expression");
|
|
- free(expr);
|
|
+ constraint_expr_destroy(expr);
|
|
return 0;
|
|
}
|
|
|
|
int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
|
|
{
|
|
cond_expr_t *e;
|
|
- int depth, retval;
|
|
+ int depth;
|
|
cond_node_t cn, *cn_old;
|
|
- avrule_t *tmp, *last_tmp;
|
|
|
|
/* expression cannot be NULL */
|
|
if (!expr) {
|
|
@@ -2858,7 +3284,8 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
|
|
switch (e->expr_type) {
|
|
case COND_NOT:
|
|
if (depth < 0) {
|
|
- yyerror("illegal conditional expression; Bad NOT");
|
|
+ yyerror
|
|
+ ("illegal conditional expression; Bad NOT");
|
|
return -1;
|
|
}
|
|
break;
|
|
@@ -2868,14 +3295,16 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
|
|
case COND_EQ:
|
|
case COND_NEQ:
|
|
if (depth < 1) {
|
|
- yyerror("illegal conditional expression; Bad binary op");
|
|
+ yyerror
|
|
+ ("illegal conditional expression; Bad binary op");
|
|
return -1;
|
|
}
|
|
depth--;
|
|
break;
|
|
case COND_BOOL:
|
|
if (depth == (COND_EXPR_MAXDEPTH - 1)) {
|
|
- yyerror("conditional expression is like totally too deep");
|
|
+ yyerror
|
|
+ ("conditional expression is like totally too deep");
|
|
return -1;
|
|
}
|
|
depth++;
|
|
@@ -2908,11 +3337,14 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
|
|
return -1;
|
|
}
|
|
|
|
+ /* Required for SETools libqpol */
|
|
+ avrule_t *tmp, *last_tmp;
|
|
+ int retval;
|
|
/* verify te rules -- both true and false branches of conditional */
|
|
tmp = cn.avtrue_list;
|
|
last_tmp = NULL;
|
|
while (tmp) {
|
|
- if (!tmp->specified & AVRULE_TRANSITION)
|
|
+ if (!(tmp->specified & AVRULE_TRANSITION))
|
|
continue;
|
|
retval = insert_check_type_rule(tmp, &policydbp->te_cond_avtab, &cn_old->true_list, &cn_old->false_list);
|
|
switch (retval) {
|
|
@@ -2951,7 +3383,7 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
|
|
tmp = cn.avfalse_list;
|
|
last_tmp = NULL;
|
|
while (tmp) {
|
|
- if (!tmp->specified & AVRULE_TRANSITION)
|
|
+ if (!(tmp->specified & AVRULE_TRANSITION))
|
|
continue;
|
|
retval = insert_check_type_rule(tmp, &policydbp->te_cond_avtab, &cn_old->false_list, &cn_old->true_list);
|
|
switch (retval) {
|
|
@@ -3053,7 +3485,8 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
|
|
e2 = e2->next;
|
|
}
|
|
if (!e1 || e1->next) {
|
|
- yyerror("illegal left side of conditional binary op expression");
|
|
+ yyerror
|
|
+ ("illegal left side of conditional binary op expression");
|
|
free(expr);
|
|
return NULL;
|
|
}
|
|
@@ -3066,7 +3499,8 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
|
|
e2 = e2->next;
|
|
}
|
|
if (!e1 || e1->next) {
|
|
- yyerror("illegal right side of conditional binary op expression");
|
|
+ yyerror
|
|
+ ("illegal right side of conditional binary op expression");
|
|
free(expr);
|
|
return NULL;
|
|
}
|
|
@@ -3086,9 +3520,13 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
|
|
free(expr);
|
|
return NULL;
|
|
}
|
|
- bool_var = (cond_bool_datum_t *) hashtab_search(policydbp->p_bools.table, (hashtab_key_t) id);
|
|
+ bool_var =
|
|
+ (cond_bool_datum_t *) hashtab_search(policydbp->p_bools.
|
|
+ table,
|
|
+ (hashtab_key_t) id);
|
|
if (!bool_var) {
|
|
- yyerror2("unknown boolean %s in conditional expression", id);
|
|
+ yyerror2("unknown boolean %s in conditional expression",
|
|
+ id);
|
|
free(expr);
|
|
free(id);
|
|
return NULL;
|
|
@@ -3098,6 +3536,7 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
|
|
return expr;
|
|
default:
|
|
yyerror("illegal conditional expression");
|
|
+ free(expr);
|
|
return NULL;
|
|
}
|
|
}
|
|
@@ -3156,14 +3595,16 @@ static int parse_categories(char *id, level_datum_t * levdatum, ebitmap_t * cats
|
|
|
|
*(id_end++) = '\0';
|
|
|
|
- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t)
|
|
+ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
|
|
+ (hashtab_key_t)
|
|
id_start);
|
|
if (!cdatum) {
|
|
yyerror2("unknown category %s", id_start);
|
|
return -1;
|
|
}
|
|
range_start = cdatum->s.value - 1;
|
|
- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t) id_end);
|
|
+ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
|
|
+ (hashtab_key_t) id_end);
|
|
if (!cdatum) {
|
|
yyerror2("unknown category %s", id_end);
|
|
return -1;
|
|
@@ -3175,7 +3616,8 @@ static int parse_categories(char *id, level_datum_t * levdatum, ebitmap_t * cats
|
|
return -1;
|
|
}
|
|
} else {
|
|
- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t) id);
|
|
+ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
|
|
+ (hashtab_key_t) id);
|
|
if (!cdatum) {
|
|
yyerror2("unknown category %s", id);
|
|
return -1;
|
|
@@ -3188,7 +3630,9 @@ static int parse_categories(char *id, level_datum_t * levdatum, ebitmap_t * cats
|
|
uint32_t level_value = levdatum->level->sens - 1;
|
|
policydb_index_others(NULL, policydbp, 0);
|
|
yyerror2("category %s can not be associated "
|
|
- "with level %s", policydbp->p_cat_val_to_name[i], policydbp->p_sens_val_to_name[level_value]);
|
|
+ "with level %s",
|
|
+ policydbp->p_cat_val_to_name[i],
|
|
+ policydbp->p_sens_val_to_name[level_value]);
|
|
return -1;
|
|
}
|
|
if (ebitmap_set_bit(cats, i, TRUE)) {
|
|
@@ -3200,7 +3644,8 @@ static int parse_categories(char *id, level_datum_t * levdatum, ebitmap_t * cats
|
|
return 0;
|
|
}
|
|
|
|
-static int parse_semantic_categories(char *id, level_datum_t * levdatum, mls_semantic_cat_t ** cats)
|
|
+static int parse_semantic_categories(char *id, level_datum_t * levdatum,
|
|
+ mls_semantic_cat_t ** cats)
|
|
{
|
|
cat_datum_t *cdatum;
|
|
mls_semantic_cat_t *newcat;
|
|
@@ -3212,7 +3657,8 @@ static int parse_semantic_categories(char *id, level_datum_t * levdatum, mls_sem
|
|
|
|
*(id_end++) = '\0';
|
|
|
|
- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t)
|
|
+ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
|
|
+ (hashtab_key_t)
|
|
id_start);
|
|
if (!cdatum) {
|
|
yyerror2("unknown category %s", id_start);
|
|
@@ -3220,14 +3666,16 @@ static int parse_semantic_categories(char *id, level_datum_t * levdatum, mls_sem
|
|
}
|
|
range_start = cdatum->s.value;
|
|
|
|
- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t) id_end);
|
|
+ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
|
|
+ (hashtab_key_t) id_end);
|
|
if (!cdatum) {
|
|
yyerror2("unknown category %s", id_end);
|
|
return -1;
|
|
}
|
|
range_end = cdatum->s.value;
|
|
} else {
|
|
- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t) id);
|
|
+ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
|
|
+ (hashtab_key_t) id);
|
|
if (!cdatum) {
|
|
yyerror2("unknown category %s", id);
|
|
return -1;
|
|
@@ -3296,9 +3744,11 @@ int define_user(void)
|
|
}
|
|
|
|
levdatum = (level_datum_t *)
|
|
- hashtab_search(policydbp->p_levels.table, (hashtab_key_t) id);
|
|
+ hashtab_search(policydbp->p_levels.table,
|
|
+ (hashtab_key_t) id);
|
|
if (!levdatum) {
|
|
- yyerror2("unknown sensitivity %s used in user" " level definition", id);
|
|
+ yyerror2("unknown sensitivity %s used in user"
|
|
+ " level definition", id);
|
|
free(id);
|
|
return -1;
|
|
}
|
|
@@ -3307,7 +3757,8 @@ int define_user(void)
|
|
usrdatum->dfltlevel.sens = levdatum->level->sens;
|
|
|
|
while ((id = queue_remove(id_queue))) {
|
|
- if (parse_semantic_categories(id, levdatum, &usrdatum->dfltlevel.cat)) {
|
|
+ if (parse_semantic_categories(id, levdatum,
|
|
+ &usrdatum->dfltlevel.cat)) {
|
|
free(id);
|
|
return -1;
|
|
}
|
|
@@ -3318,9 +3769,11 @@ int define_user(void)
|
|
|
|
for (l = 0; l < 2; l++) {
|
|
levdatum = (level_datum_t *)
|
|
- hashtab_search(policydbp->p_levels.table, (hashtab_key_t) id);
|
|
+ hashtab_search(policydbp->p_levels.table,
|
|
+ (hashtab_key_t) id);
|
|
if (!levdatum) {
|
|
- yyerror2("unknown sensitivity %s used in user" " range definition", id);
|
|
+ yyerror2("unknown sensitivity %s used in user"
|
|
+ " range definition", id);
|
|
free(id);
|
|
return -1;
|
|
}
|
|
@@ -3329,7 +3782,8 @@ int define_user(void)
|
|
usrdatum->range.level[l].sens = levdatum->level->sens;
|
|
|
|
while ((id = queue_remove(id_queue))) {
|
|
- if (parse_semantic_categories(id, levdatum, &usrdatum->range.level[l].cat)) {
|
|
+ if (parse_semantic_categories(id, levdatum,
|
|
+ &usrdatum->range.level[l].cat)) {
|
|
free(id);
|
|
return -1;
|
|
}
|
|
@@ -3342,7 +3796,8 @@ int define_user(void)
|
|
}
|
|
|
|
if (l == 0) {
|
|
- if (mls_semantic_level_cpy(&usrdatum->range.level[1], &usrdatum->range.level[0])) {
|
|
+ if (mls_semantic_level_cpy(&usrdatum->range.level[1],
|
|
+ &usrdatum->range.level[0])) {
|
|
yyerror("out of memory");
|
|
return -1;
|
|
}
|
|
@@ -3362,11 +3817,11 @@ static int parse_security_context(context_struct_t * c)
|
|
|
|
if (pass == 1) {
|
|
id = queue_remove(id_queue);
|
|
- free(id); /* user */
|
|
+ free(id); /* user */
|
|
id = queue_remove(id_queue);
|
|
- free(id); /* role */
|
|
+ free(id); /* role */
|
|
id = queue_remove(id_queue);
|
|
- free(id); /* type */
|
|
+ free(id); /* type */
|
|
if (mlspol) {
|
|
id = queue_remove(id_queue);
|
|
free(id);
|
|
@@ -3383,6 +3838,12 @@ static int parse_security_context(context_struct_t * c)
|
|
return 0;
|
|
}
|
|
|
|
+ /* check context c to make sure ok to dereference c later */
|
|
+ if (c == NULL) {
|
|
+ yyerror("null context pointer!");
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
context_init(c);
|
|
|
|
/* extract the user */
|
|
@@ -3396,7 +3857,8 @@ static int parse_security_context(context_struct_t * c)
|
|
free(id);
|
|
goto bad;
|
|
}
|
|
- usrdatum = (user_datum_t *) hashtab_search(policydbp->p_users.table, (hashtab_key_t) id);
|
|
+ usrdatum = (user_datum_t *) hashtab_search(policydbp->p_users.table,
|
|
+ (hashtab_key_t) id);
|
|
if (!usrdatum) {
|
|
yyerror2("user %s is not defined", id);
|
|
free(id);
|
|
@@ -3418,7 +3880,8 @@ static int parse_security_context(context_struct_t * c)
|
|
free(id);
|
|
return -1;
|
|
}
|
|
- role = (role_datum_t *) hashtab_search(policydbp->p_roles.table, (hashtab_key_t) id);
|
|
+ role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
|
|
+ (hashtab_key_t) id);
|
|
if (!role) {
|
|
yyerror2("role %s is not defined", id);
|
|
free(id);
|
|
@@ -3440,7 +3903,8 @@ static int parse_security_context(context_struct_t * c)
|
|
free(id);
|
|
return -1;
|
|
}
|
|
- typdatum = (type_datum_t *) hashtab_search(policydbp->p_types.table, (hashtab_key_t) id);
|
|
+ typdatum = (type_datum_t *) hashtab_search(policydbp->p_types.table,
|
|
+ (hashtab_key_t) id);
|
|
if (!typdatum || typdatum->flavor == TYPE_ATTRIB) {
|
|
yyerror2("type %s is not defined or is an attribute", id);
|
|
free(id);
|
|
@@ -3455,14 +3919,16 @@ static int parse_security_context(context_struct_t * c)
|
|
/* extract the low sensitivity */
|
|
id = (char *)queue_head(id_queue);
|
|
if (!id) {
|
|
- yyerror("no sensitivity name for sid context" " definition?");
|
|
+ yyerror("no sensitivity name for sid context"
|
|
+ " definition?");
|
|
return -1;
|
|
}
|
|
|
|
id = (char *)queue_remove(id_queue);
|
|
for (l = 0; l < 2; l++) {
|
|
levdatum = (level_datum_t *)
|
|
- hashtab_search(policydbp->p_levels.table, (hashtab_key_t) id);
|
|
+ hashtab_search(policydbp->p_levels.table,
|
|
+ (hashtab_key_t) id);
|
|
if (!levdatum) {
|
|
yyerror2("Sensitivity %s is not defined", id);
|
|
free(id);
|
|
@@ -3473,7 +3939,8 @@ static int parse_security_context(context_struct_t * c)
|
|
|
|
/* extract low category set */
|
|
while ((id = queue_remove(id_queue))) {
|
|
- if (parse_categories(id, levdatum, &c->range.level[l].cat)) {
|
|
+ if (parse_categories(id, levdatum,
|
|
+ &c->range.level[l].cat)) {
|
|
free(id);
|
|
return -1;
|
|
}
|
|
@@ -3488,7 +3955,8 @@ static int parse_security_context(context_struct_t * c)
|
|
|
|
if (l == 0) {
|
|
c->range.level[1].sens = c->range.level[0].sens;
|
|
- if (ebitmap_cpy(&c->range.level[1].cat, &c->range.level[0].cat)) {
|
|
+ if (ebitmap_cpy(&c->range.level[1].cat,
|
|
+ &c->range.level[0].cat)) {
|
|
|
|
yyerror("out of memory");
|
|
goto bad;
|
|
@@ -3554,12 +4022,10 @@ int define_fs_context(unsigned int major, unsigned int minor)
|
|
{
|
|
ocontext_t *newc, *c, *head;
|
|
|
|
-#ifdef SEPOL_TARGET_XEN
|
|
if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
|
|
yyerror("fscon not supported for target");
|
|
return -1;
|
|
}
|
|
-#endif
|
|
|
|
if (pass == 1) {
|
|
parse_security_context(NULL);
|
|
@@ -3597,7 +4063,8 @@ int define_fs_context(unsigned int major, unsigned int minor)
|
|
|
|
for (c = head; c; c = c->next) {
|
|
if (!strcmp(newc->u.name, c->u.name)) {
|
|
- yyerror2("duplicate entry for file system %s", newc->u.name);
|
|
+ yyerror2("duplicate entry for file system %s",
|
|
+ newc->u.name);
|
|
context_destroy(&newc->context[0]);
|
|
context_destroy(&newc->context[1]);
|
|
free(newc->u.name);
|
|
@@ -3617,17 +4084,13 @@ int define_pirq_context(unsigned int pirq)
|
|
ocontext_t *newc, *c, *l, *head;
|
|
char *id;
|
|
|
|
-#ifndef SEPOL_TARGET_XEN
|
|
- yyerror("pirqcon not supported for target");
|
|
- return -1;
|
|
-#else
|
|
if (policydbp->target_platform != SEPOL_TARGET_XEN) {
|
|
yyerror("pirqcon not supported for target");
|
|
return -1;
|
|
}
|
|
|
|
if (pass == 1) {
|
|
- id = (char *)queue_remove(id_queue);
|
|
+ id = (char *) queue_remove(id_queue);
|
|
free(id);
|
|
parse_security_context(NULL);
|
|
return 0;
|
|
@@ -3665,10 +4128,9 @@ int define_pirq_context(unsigned int pirq)
|
|
|
|
return 0;
|
|
|
|
- bad:
|
|
+bad:
|
|
free(newc);
|
|
return -1;
|
|
-#endif
|
|
}
|
|
|
|
int define_iomem_context(unsigned long low, unsigned long high)
|
|
@@ -3676,10 +4138,6 @@ int define_iomem_context(unsigned long low, unsigned long high)
|
|
ocontext_t *newc, *c, *l, *head;
|
|
char *id;
|
|
|
|
-#ifndef SEPOL_TARGET_XEN
|
|
- yyerror("iomemcon not supported for target");
|
|
- return -1;
|
|
-#else
|
|
if (policydbp->target_platform != SEPOL_TARGET_XEN) {
|
|
yyerror("iomemcon not supported for target");
|
|
return -1;
|
|
@@ -3699,7 +4157,7 @@ int define_iomem_context(unsigned long low, unsigned long high)
|
|
}
|
|
memset(newc, 0, sizeof(ocontext_t));
|
|
|
|
- newc->u.iomem.low_iomem = low;
|
|
+ newc->u.iomem.low_iomem = low;
|
|
newc->u.iomem.high_iomem = high;
|
|
|
|
if (low > high) {
|
|
@@ -3720,7 +4178,9 @@ int define_iomem_context(unsigned long low, unsigned long high)
|
|
low2 = c->u.iomem.low_iomem;
|
|
high2 = c->u.iomem.high_iomem;
|
|
if (low <= high2 && low2 <= high) {
|
|
- yyerror2("iomemcon entry for 0x%x-0x%x overlaps with " "earlier entry 0x%x-0x%x", low, high, low2, high2);
|
|
+ yyerror2("iomemcon entry for 0x%x-0x%x overlaps with "
|
|
+ "earlier entry 0x%x-0x%x", low, high,
|
|
+ low2, high2);
|
|
goto bad;
|
|
}
|
|
}
|
|
@@ -3732,10 +4192,9 @@ int define_iomem_context(unsigned long low, unsigned long high)
|
|
|
|
return 0;
|
|
|
|
- bad:
|
|
+bad:
|
|
free(newc);
|
|
return -1;
|
|
-#endif
|
|
}
|
|
|
|
int define_ioport_context(unsigned long low, unsigned long high)
|
|
@@ -3743,10 +4202,6 @@ int define_ioport_context(unsigned long low, unsigned long high)
|
|
ocontext_t *newc, *c, *l, *head;
|
|
char *id;
|
|
|
|
-#ifndef SEPOL_TARGET_XEN
|
|
- yyerror("ioportcon not supported for target");
|
|
- return -1;
|
|
-#else
|
|
if (policydbp->target_platform != SEPOL_TARGET_XEN) {
|
|
yyerror("ioportcon not supported for target");
|
|
return -1;
|
|
@@ -3766,7 +4221,7 @@ int define_ioport_context(unsigned long low, unsigned long high)
|
|
}
|
|
memset(newc, 0, sizeof(ocontext_t));
|
|
|
|
- newc->u.ioport.low_ioport = low;
|
|
+ newc->u.ioport.low_ioport = low;
|
|
newc->u.ioport.high_ioport = high;
|
|
|
|
if (low > high) {
|
|
@@ -3787,7 +4242,9 @@ int define_ioport_context(unsigned long low, unsigned long high)
|
|
low2 = c->u.ioport.low_ioport;
|
|
high2 = c->u.ioport.high_ioport;
|
|
if (low <= high2 && low2 <= high) {
|
|
- yyerror2("ioportcon entry for 0x%x-0x%x overlaps with" "earlier entry 0x%x-0x%x", low, high, low2, high2);
|
|
+ yyerror2("ioportcon entry for 0x%x-0x%x overlaps with"
|
|
+ "earlier entry 0x%x-0x%x", low, high,
|
|
+ low2, high2);
|
|
goto bad;
|
|
}
|
|
}
|
|
@@ -3799,10 +4256,9 @@ int define_ioport_context(unsigned long low, unsigned long high)
|
|
|
|
return 0;
|
|
|
|
- bad:
|
|
+bad:
|
|
free(newc);
|
|
return -1;
|
|
-#endif
|
|
}
|
|
|
|
int define_pcidevice_context(unsigned long device)
|
|
@@ -3810,17 +4266,13 @@ int define_pcidevice_context(unsigned long device)
|
|
ocontext_t *newc, *c, *l, *head;
|
|
char *id;
|
|
|
|
-#ifndef SEPOL_TARGET_XEN
|
|
- yyerror("pcidevicecon not supported for target");
|
|
- return -1;
|
|
-#else
|
|
if (policydbp->target_platform != SEPOL_TARGET_XEN) {
|
|
yyerror("pcidevicecon not supported for target");
|
|
return -1;
|
|
}
|
|
|
|
if (pass == 1) {
|
|
- id = (char *)queue_remove(id_queue);
|
|
+ id = (char *) queue_remove(id_queue);
|
|
free(id);
|
|
parse_security_context(NULL);
|
|
return 0;
|
|
@@ -3846,7 +4298,8 @@ int define_pcidevice_context(unsigned long device)
|
|
|
|
device2 = c->u.device;
|
|
if (device == device2) {
|
|
- yyerror2("duplicate pcidevicecon entry for 0x%x ", device);
|
|
+ yyerror2("duplicate pcidevicecon entry for 0x%x ",
|
|
+ device);
|
|
goto bad;
|
|
}
|
|
}
|
|
@@ -3858,10 +4311,9 @@ int define_pcidevice_context(unsigned long device)
|
|
|
|
return 0;
|
|
|
|
- bad:
|
|
+bad:
|
|
free(newc);
|
|
return -1;
|
|
-#endif
|
|
}
|
|
|
|
int define_port_context(unsigned int low, unsigned int high)
|
|
@@ -3870,12 +4322,10 @@ int define_port_context(unsigned int low, unsigned int high)
|
|
unsigned int protocol;
|
|
char *id;
|
|
|
|
-#ifdef SEPOL_TARGET_XEN
|
|
if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
|
|
yyerror("portcon not supported for target");
|
|
return -1;
|
|
}
|
|
-#endif
|
|
|
|
if (pass == 1) {
|
|
id = (char *)queue_remove(id_queue);
|
|
@@ -3932,15 +4382,16 @@ int define_port_context(unsigned int low, unsigned int high)
|
|
if (protocol != prot2)
|
|
continue;
|
|
if (low == low2 && high == high2) {
|
|
- yyerror2("duplicate portcon entry for %s %d-%d ", id, low, high);
|
|
+ yyerror2("duplicate portcon entry for %s %d-%d ", id,
|
|
+ low, high);
|
|
goto bad;
|
|
}
|
|
if (low2 <= low && high2 >= high) {
|
|
- yyerror2("portcon entry for %s %d-%d hidden by earlier " "entry for %d-%d", id, low, high, low2, high2);
|
|
+ yyerror2("portcon entry for %s %d-%d hidden by earlier "
|
|
+ "entry for %d-%d", id, low, high, low2, high2);
|
|
goto bad;
|
|
}
|
|
}
|
|
- free(id);
|
|
|
|
if (l)
|
|
l->next = newc;
|
|
@@ -3958,12 +4409,10 @@ int define_netif_context(void)
|
|
{
|
|
ocontext_t *newc, *c, *head;
|
|
|
|
-#ifdef SEPOL_TARGET_XEN
|
|
if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
|
|
yyerror("netifcon not supported for target");
|
|
return -1;
|
|
}
|
|
-#endif
|
|
|
|
if (pass == 1) {
|
|
free(queue_remove(id_queue));
|
|
@@ -3999,7 +4448,8 @@ int define_netif_context(void)
|
|
|
|
for (c = head; c; c = c->next) {
|
|
if (!strcmp(newc->u.name, c->u.name)) {
|
|
- yyerror2("duplicate entry for network interface %s", newc->u.name);
|
|
+ yyerror2("duplicate entry for network interface %s",
|
|
+ newc->u.name);
|
|
context_destroy(&newc->context[0]);
|
|
context_destroy(&newc->context[1]);
|
|
free(newc->u.name);
|
|
@@ -4014,18 +4464,16 @@ int define_netif_context(void)
|
|
}
|
|
|
|
int define_ipv4_node_context()
|
|
-{
|
|
+{
|
|
char *id;
|
|
int rc = 0;
|
|
struct in_addr addr, mask;
|
|
ocontext_t *newc, *c, *l, *head;
|
|
|
|
-#ifdef SEPOL_TARGET_XEN
|
|
if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
|
|
yyerror("nodecon not supported for target");
|
|
return -1;
|
|
}
|
|
-#endif
|
|
|
|
if (pass == 1) {
|
|
free(queue_remove(id_queue));
|
|
@@ -4097,7 +4545,7 @@ int define_ipv4_node_context()
|
|
else
|
|
policydbp->ocontexts[OCON_NODE] = newc;
|
|
rc = 0;
|
|
- out:
|
|
+out:
|
|
return rc;
|
|
}
|
|
|
|
@@ -4108,12 +4556,10 @@ int define_ipv6_node_context(void)
|
|
struct in6_addr addr, mask;
|
|
ocontext_t *newc, *c, *l, *head;
|
|
|
|
-#ifdef SEPOL_TARGET_XEN
|
|
if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
|
|
yyerror("nodecon not supported for target");
|
|
return -1;
|
|
}
|
|
-#endif
|
|
|
|
if (pass == 1) {
|
|
free(queue_remove(id_queue));
|
|
@@ -4162,8 +4608,14 @@ int define_ipv6_node_context(void)
|
|
}
|
|
|
|
memset(newc, 0, sizeof(ocontext_t));
|
|
+
|
|
+#ifdef DARWIN
|
|
+ memcpy(&newc->u.node6.addr[0], &addr.s6_addr[0], 16);
|
|
+ memcpy(&newc->u.node6.mask[0], &mask.s6_addr[0], 16);
|
|
+#else
|
|
memcpy(&newc->u.node6.addr[0], &addr.s6_addr32[0], 16);
|
|
memcpy(&newc->u.node6.mask[0], &mask.s6_addr32[0], 16);
|
|
+#endif
|
|
|
|
if (parse_security_context(&newc->context[0])) {
|
|
free(newc);
|
|
@@ -4195,15 +4647,14 @@ int define_fs_use(int behavior)
|
|
{
|
|
ocontext_t *newc, *c, *head;
|
|
|
|
-#ifdef SEPOL_TARGET_XEN
|
|
if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
|
|
yyerror("fsuse not supported for target");
|
|
return -1;
|
|
}
|
|
-#endif
|
|
|
|
if (pass == 1) {
|
|
free(queue_remove(id_queue));
|
|
+ /* Required for SETools libqpol */
|
|
if (behavior != SECURITY_FS_USE_PSIDS)
|
|
parse_security_context(NULL);
|
|
return 0;
|
|
@@ -4222,6 +4673,7 @@ int define_fs_use(int behavior)
|
|
return -1;
|
|
}
|
|
newc->v.behavior = behavior;
|
|
+ /* Required for SETools libqpol */
|
|
if (newc->v.behavior != SECURITY_FS_USE_PSIDS) {
|
|
if (parse_security_context(&newc->context[0])) {
|
|
free(newc->u.name);
|
|
@@ -4235,7 +4687,8 @@ int define_fs_use(int behavior)
|
|
|
|
for (c = head; c; c = c->next) {
|
|
if (!strcmp(newc->u.name, c->u.name)) {
|
|
- yyerror2("duplicate fs_use entry for filesystem type %s", newc->u.name);
|
|
+ yyerror2("duplicate fs_use entry for filesystem type %s",
|
|
+ newc->u.name);
|
|
context_destroy(&newc->context[0]);
|
|
free(newc->u.name);
|
|
free(newc);
|
|
@@ -4255,12 +4708,10 @@ int define_genfs_context_helper(char *fstype, int has_type)
|
|
char *type = NULL;
|
|
int len, len2;
|
|
|
|
-#ifdef SEPOL_TARGET_XEN
|
|
if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
|
|
yyerror("genfs not supported for target");
|
|
return -1;
|
|
}
|
|
-#endif
|
|
|
|
if (pass == 1) {
|
|
free(fstype);
|
|
@@ -4271,7 +4722,8 @@ int define_genfs_context_helper(char *fstype, int has_type)
|
|
return 0;
|
|
}
|
|
|
|
- for (genfs_p = NULL, genfs = policydbp->genfs; genfs; genfs_p = genfs, genfs = genfs->next) {
|
|
+ for (genfs_p = NULL, genfs = policydbp->genfs;
|
|
+ genfs; genfs_p = genfs, genfs = genfs->next) {
|
|
if (strcmp(fstype, genfs->fstype) <= 0)
|
|
break;
|
|
}
|
|
@@ -4290,9 +4742,6 @@ int define_genfs_context_helper(char *fstype, int has_type)
|
|
else
|
|
policydbp->genfs = newgenfs;
|
|
genfs = newgenfs;
|
|
- } else {
|
|
- free(fstype);
|
|
- fstype=NULL;
|
|
}
|
|
|
|
newc = (ocontext_t *) malloc(sizeof(ocontext_t));
|
|
@@ -4340,16 +4789,17 @@ int define_genfs_context_helper(char *fstype, int has_type)
|
|
goto fail;
|
|
}
|
|
}
|
|
- free(type);
|
|
- type = NULL;
|
|
if (parse_security_context(&newc->context[0]))
|
|
goto fail;
|
|
|
|
head = genfs->head;
|
|
|
|
for (p = NULL, c = head; c; p = c, c = c->next) {
|
|
- if (!strcmp(newc->u.name, c->u.name) && (!newc->v.sclass || !c->v.sclass || newc->v.sclass == c->v.sclass)) {
|
|
- yyerror2("duplicate entry for genfs entry (%s, %s)", fstype, newc->u.name);
|
|
+ if (!strcmp(newc->u.name, c->u.name) &&
|
|
+ (!newc->v.sclass || !c->v.sclass
|
|
+ || newc->v.sclass == c->v.sclass)) {
|
|
+ yyerror2("duplicate entry for genfs entry (%s, %s)",
|
|
+ fstype, newc->u.name);
|
|
goto fail;
|
|
}
|
|
len = strlen(newc->u.name);
|
|
@@ -4434,29 +4884,21 @@ int define_range_trans(int class_specified)
|
|
}
|
|
|
|
if (class_specified) {
|
|
- while ((id = queue_remove(id_queue))) {
|
|
- if (!is_id_in_scope(SYM_CLASSES, id)) {
|
|
- yyerror2("class %s is not within scope", id);
|
|
- free(id);
|
|
- goto out;
|
|
- }
|
|
- cladatum = hashtab_search(policydbp->p_classes.table, id);
|
|
- if (!cladatum) {
|
|
- yyerror2("unknown class %s", id);
|
|
- goto out;
|
|
- }
|
|
-
|
|
- ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE);
|
|
- free(id);
|
|
- }
|
|
+ if (read_classes(&rule->tclasses))
|
|
+ goto out;
|
|
} else {
|
|
- cladatum = hashtab_search(policydbp->p_classes.table, "process");
|
|
+ cladatum = hashtab_search(policydbp->p_classes.table,
|
|
+ "process");
|
|
if (!cladatum) {
|
|
- yyerror2("could not find process class for " "legacy range_transition statement");
|
|
+ yyerror2("could not find process class for "
|
|
+ "legacy range_transition statement");
|
|
goto out;
|
|
}
|
|
|
|
- ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE);
|
|
+ if (ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE)) {
|
|
+ yyerror("out of memory");
|
|
+ goto out;
|
|
+ }
|
|
}
|
|
|
|
id = (char *)queue_remove(id_queue);
|
|
@@ -4467,7 +4909,8 @@ int define_range_trans(int class_specified)
|
|
for (l = 0; l < 2; l++) {
|
|
levdatum = hashtab_search(policydbp->p_levels.table, id);
|
|
if (!levdatum) {
|
|
- yyerror2("unknown level %s used in range_transition " "definition", id);
|
|
+ yyerror2("unknown level %s used in range_transition "
|
|
+ "definition", id);
|
|
free(id);
|
|
goto out;
|
|
}
|
|
@@ -4476,7 +4919,8 @@ int define_range_trans(int class_specified)
|
|
rule->trange.level[l].sens = levdatum->level->sens;
|
|
|
|
while ((id = queue_remove(id_queue))) {
|
|
- if (parse_semantic_categories(id, levdatum, &rule->trange.level[l].cat)) {
|
|
+ if (parse_semantic_categories(id, levdatum,
|
|
+ &rule->trange.level[l].cat)) {
|
|
free(id);
|
|
goto out;
|
|
}
|
|
@@ -4488,7 +4932,8 @@ int define_range_trans(int class_specified)
|
|
break;
|
|
}
|
|
if (l == 0) {
|
|
- if (mls_semantic_level_cpy(&rule->trange.level[1], &rule->trange.level[0])) {
|
|
+ if (mls_semantic_level_cpy(&rule->trange.level[1],
|
|
+ &rule->trange.level[0])) {
|
|
yyerror("out of memory");
|
|
goto out;
|
|
}
|
|
@@ -4497,8 +4942,9 @@ int define_range_trans(int class_specified)
|
|
append_range_trans(rule);
|
|
return 0;
|
|
|
|
- out:
|
|
+out:
|
|
range_trans_rule_destroy(rule);
|
|
+ free(rule);
|
|
return -1;
|
|
}
|
|
|
|
diff --git a/libqpol/src/policy_define.h b/libqpol/src/policy_define.h
|
|
index f273fed..14c1747 100644
|
|
--- a/libqpol/src/policy_define.h
|
|
+++ b/libqpol/src/policy_define.h
|
|
@@ -19,24 +19,32 @@
|
|
#define TRUE 1
|
|
#define FALSE 0
|
|
|
|
+/* Used by SETools libqpol */
|
|
/** parser used to support fs_use_psid declarations, so revert that bit
|
|
* of code here */
|
|
#define SECURITY_FS_USE_PSIDS 6
|
|
+/* Used by SETools to determine if source MLS or not */
|
|
+int define_mls(void);
|
|
|
|
avrule_t *define_cond_compute_type(int which);
|
|
-avrule_t *define_cond_pol_list(avrule_t * avlist, avrule_t * stmt);
|
|
+avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt);
|
|
avrule_t *define_cond_te_avtab(int which);
|
|
avrule_t *define_cond_filename_trans(void);
|
|
-cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2);
|
|
+cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void* arg2);
|
|
int define_attrib(void);
|
|
+int define_attrib_role(void);
|
|
int define_av_perms(int inherits);
|
|
-int define_bool(void);
|
|
+int define_bool_tunable(int is_tunable);
|
|
int define_category(void);
|
|
int define_class(void);
|
|
+int define_default_user(int which);
|
|
+int define_default_role(int which);
|
|
+int define_default_type(int which);
|
|
+int define_default_range(int which);
|
|
int define_common_perms(void);
|
|
int define_compute_type(int which);
|
|
-int define_conditional(cond_expr_t * expr, avrule_t * t_list, avrule_t * f_list);
|
|
-int define_constraint(constraint_expr_t * expr);
|
|
+int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list );
|
|
+int define_constraint(constraint_expr_t *expr);
|
|
int define_dominance(void);
|
|
int define_fs_context(unsigned int major, unsigned int minor);
|
|
int define_fs_use(int behavior);
|
|
@@ -46,7 +54,6 @@ int define_initial_sid(void);
|
|
int define_ipv4_node_context(void);
|
|
int define_ipv6_node_context(void);
|
|
int define_level(void);
|
|
-int define_mls(void);
|
|
int define_netif_context(void);
|
|
int define_permissive(void);
|
|
int define_polcap(void);
|
|
@@ -57,8 +64,10 @@ int define_ioport_context(unsigned long low, unsigned long high);
|
|
int define_pcidevice_context(unsigned long device);
|
|
int define_range_trans(int class_specified);
|
|
int define_role_allow(void);
|
|
-int define_role_trans(void);
|
|
+int define_role_trans(int class_specified);
|
|
int define_role_types(void);
|
|
+int define_role_attr(void);
|
|
+int define_roleattribute(void);
|
|
int define_filename_trans(void);
|
|
int define_sens(void);
|
|
int define_te_avtab(int which);
|
|
@@ -67,11 +76,11 @@ int define_typeattribute(void);
|
|
int define_typebounds(void);
|
|
int define_type(int alias);
|
|
int define_user(void);
|
|
-int define_validatetrans(constraint_expr_t * expr);
|
|
-int insert_id(char *id, int push);
|
|
+int define_validatetrans(constraint_expr_t *expr);
|
|
+int insert_id(char *id,int push);
|
|
int insert_separator(int push);
|
|
-role_datum_t *define_role_dom(role_datum_t * r);
|
|
-role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2);
|
|
+role_datum_t *define_role_dom(role_datum_t *r);
|
|
+role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2);
|
|
uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2);
|
|
|
|
-#endif /* _POLICY_DEFINE_H_ */
|
|
+#endif /* _POLICY_DEFINE_H_ */
|
|
diff --git a/libqpol/src/policy_extend.c b/libqpol/src/policy_extend.c
|
|
index 5325a87..1417271 100644
|
|
--- a/libqpol/src/policy_extend.c
|
|
+++ b/libqpol/src/policy_extend.c
|
|
@@ -843,7 +843,7 @@ static int qpol_syn_rule_table_insert_sepol_avrule(qpol_policy_t * policy, qpol_
|
|
for (class_node = rule->perms; class_node; class_node = class_node->next) {
|
|
key.rule_type = rule->specified;
|
|
key.source_val = key.target_val = i + 1;
|
|
- key.class_val = class_node->class;
|
|
+ key.class_val = class_node->tclass;
|
|
key.cond = cond;
|
|
if (qpol_syn_rule_table_insert_entry(policy, table, &key, new_rule))
|
|
goto err;
|
|
@@ -856,7 +856,7 @@ static int qpol_syn_rule_table_insert_sepol_avrule(qpol_policy_t * policy, qpol_
|
|
key.rule_type = rule->specified;
|
|
key.source_val = i + 1;
|
|
key.target_val = j + 1;
|
|
- key.class_val = class_node->class;
|
|
+ key.class_val = class_node->tclass;
|
|
key.cond = cond;
|
|
if (qpol_syn_rule_table_insert_entry(policy, table, &key, new_rule))
|
|
goto err;
|
|
diff --git a/libqpol/src/policy_parse.y b/libqpol/src/policy_parse.y
|
|
index dc16c6f..357f3d8 100644
|
|
--- a/libqpol/src/policy_parse.y
|
|
+++ b/libqpol/src/policy_parse.y
|
|
@@ -3,6 +3,8 @@
|
|
*
|
|
* This file is based upon checkpolicy/policy_parse.y from NSA's SVN
|
|
* repository. It has been modified to support older policy formats.
|
|
+ * The older format just seems to be FSUSEPSID support (see fs_use_def
|
|
+ * entry.
|
|
*/
|
|
|
|
/*
|
|
@@ -35,6 +37,7 @@
|
|
/* FLASK */
|
|
|
|
%{
|
|
+/* Add for SETools */
|
|
#include <config.h>
|
|
|
|
#include <sys/types.h>
|
|
@@ -55,12 +58,16 @@
|
|
#include <sepol/policydb/conditional.h>
|
|
#include <sepol/policydb/flask.h>
|
|
#include <sepol/policydb/hierarchy.h>
|
|
+/* Add for SETools libqpol */
|
|
#ifdef HAVE_SEPOL_POLICYCAPS
|
|
#include <sepol/policydb/polcaps.h>
|
|
#endif
|
|
|
|
#include "queue.h"
|
|
+
|
|
+/* #include "checkpolicy.h" - Remove for setools and replace with: */
|
|
#include <qpol/policy.h>
|
|
+
|
|
#include "module_compiler.h"
|
|
#include "policy_define.h"
|
|
|
|
@@ -74,6 +81,7 @@ extern int yyerror(char *msg);
|
|
|
|
typedef int (* require_func_t)();
|
|
|
|
+/* Add for SETools libqpol */
|
|
/* redefine input so we can read from a string */
|
|
/* borrowed from O'Reilly lex and yacc pg 157 */
|
|
extern char qpol_src_input[];
|
|
@@ -107,6 +115,8 @@ extern char *qpol_src_inputlim;/* end of data */
|
|
%token INHERITS
|
|
%token SID
|
|
%token ROLE
|
|
+%token ROLEATTRIBUTE
|
|
+%token ATTRIBUTE_ROLE
|
|
%token ROLES
|
|
%token TYPEALIAS
|
|
%token TYPEATTRIBUTE
|
|
@@ -116,6 +126,7 @@ extern char *qpol_src_inputlim;/* end of data */
|
|
%token ALIAS
|
|
%token ATTRIBUTE
|
|
%token BOOL
|
|
+%token TUNABLE
|
|
%token IF
|
|
%token ELSE
|
|
%token TYPE_TRANSITION
|
|
@@ -156,6 +167,9 @@ extern char *qpol_src_inputlim;/* end of data */
|
|
%token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
|
|
%token POLICYCAP
|
|
%token PERMISSIVE
|
|
+%token FILESYSTEM
|
|
+%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
|
|
+%token LOW_HIGH LOW HIGH
|
|
|
|
%left OR
|
|
%left XOR
|
|
@@ -170,7 +184,7 @@ base_policy : { if (define_policy(pass, 0) == -1) return -1; }
|
|
classes initial_sids access_vectors
|
|
{ if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; }
|
|
else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }}
|
|
- opt_mls te_rbac users opt_constraints
|
|
+ opt_default_rules opt_mls te_rbac users opt_constraints
|
|
{ if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
|
|
else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
|
|
initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
|
|
@@ -208,6 +222,46 @@ av_perms_def : CLASS identifier '{' identifier_list '}'
|
|
| CLASS identifier INHERITS identifier '{' identifier_list '}'
|
|
{if (define_av_perms(TRUE)) return -1;}
|
|
;
|
|
+opt_default_rules : default_rules
|
|
+ |
|
|
+ ;
|
|
+default_rules : default_user_def
|
|
+ | default_role_def
|
|
+ | default_type_def
|
|
+ | default_range_def
|
|
+ | default_rules default_user_def
|
|
+ | default_rules default_role_def
|
|
+ | default_rules default_type_def
|
|
+ | default_rules default_range_def
|
|
+ ;
|
|
+default_user_def : DEFAULT_USER names SOURCE ';'
|
|
+ {if (define_default_user(DEFAULT_SOURCE)) return -1; }
|
|
+ | DEFAULT_USER names TARGET ';'
|
|
+ {if (define_default_user(DEFAULT_TARGET)) return -1; }
|
|
+ ;
|
|
+default_role_def : DEFAULT_ROLE names SOURCE ';'
|
|
+ {if (define_default_role(DEFAULT_SOURCE)) return -1; }
|
|
+ | DEFAULT_ROLE names TARGET ';'
|
|
+ {if (define_default_role(DEFAULT_TARGET)) return -1; }
|
|
+ ;
|
|
+default_type_def : DEFAULT_TYPE names SOURCE ';'
|
|
+ {if (define_default_type(DEFAULT_SOURCE)) return -1; }
|
|
+ | DEFAULT_TYPE names TARGET ';'
|
|
+ {if (define_default_type(DEFAULT_TARGET)) return -1; }
|
|
+ ;
|
|
+default_range_def : DEFAULT_RANGE names SOURCE LOW ';'
|
|
+ {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; }
|
|
+ | DEFAULT_RANGE names SOURCE HIGH ';'
|
|
+ {if (define_default_range(DEFAULT_SOURCE_HIGH)) return -1; }
|
|
+ | DEFAULT_RANGE names SOURCE LOW_HIGH ';'
|
|
+ {if (define_default_range(DEFAULT_SOURCE_LOW_HIGH)) return -1; }
|
|
+ | DEFAULT_RANGE names TARGET LOW ';'
|
|
+ {if (define_default_range(DEFAULT_TARGET_LOW)) return -1; }
|
|
+ | DEFAULT_RANGE names TARGET HIGH ';'
|
|
+ {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; }
|
|
+ | DEFAULT_RANGE names TARGET LOW_HIGH ';'
|
|
+ {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; }
|
|
+ ;
|
|
opt_mls : mls
|
|
|
|
|
;
|
|
@@ -216,8 +270,14 @@ mls : sensitivities dominance opt_categories levels mlspolicy
|
|
sensitivities : sensitivity_def
|
|
| sensitivities sensitivity_def
|
|
;
|
|
-/* Need to call define_mls here, as we are working with files */
|
|
-/* only, not command line options */
|
|
+/*sensitivity_def : SENSITIVITY identifier alias_def ';'
|
|
+ {if (define_sens()) return -1;}
|
|
+ | SENSITIVITY identifier ';'
|
|
+ {if (define_sens()) return -1;}
|
|
+ ;
|
|
+The above has been replaced by: */
|
|
+/* Needed for SETools to call define_mls here, as we are working */
|
|
+/* with files only, not command line options */
|
|
sensitivity_def : SENSITIVITY identifier alias_def ';'
|
|
{if (define_mls() | define_sens()) return -1;}
|
|
| SENSITIVITY identifier ';'
|
|
@@ -271,10 +331,13 @@ te_rbac_decl : te_decl
|
|
| policycap_def
|
|
| ';'
|
|
;
|
|
-rbac_decl : role_type_def
|
|
+rbac_decl : attribute_role_def
|
|
+ | role_type_def
|
|
| role_dominance
|
|
| role_trans_def
|
|
| role_allow_def
|
|
+ | roleattribute_def
|
|
+ | role_attr_def
|
|
;
|
|
te_decl : attribute_def
|
|
| type_def
|
|
@@ -282,6 +345,7 @@ te_decl : attribute_def
|
|
| typeattribute_def
|
|
| typebounds_def
|
|
| bool_def
|
|
+ | tunable_def
|
|
| transition_def
|
|
| range_trans_def
|
|
| te_avtab_def
|
|
@@ -308,8 +372,11 @@ opt_attr_list : ',' id_comma_list
|
|
|
|
|
;
|
|
bool_def : BOOL identifier bool_val ';'
|
|
- {if (define_bool()) return -1;}
|
|
+ { if (define_bool_tunable(0)) return -1; }
|
|
;
|
|
+tunable_def : TUNABLE identifier bool_val ';'
|
|
+ { if (define_bool_tunable(1)) return -1; }
|
|
+ ;
|
|
bool_val : CTRUE
|
|
{ if (insert_id("T",0)) return -1; }
|
|
| CFALSE
|
|
@@ -364,7 +431,7 @@ cond_rule_def : cond_transition_def
|
|
cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
|
|
{ $$ = define_cond_filename_trans() ;
|
|
if ($$ == COND_ERR) return -1;}
|
|
- | TYPE_TRANSITION names names ':' names identifier ';'
|
|
+ | TYPE_TRANSITION names names ':' names identifier ';'
|
|
{ $$ = define_cond_compute_type(AVRULE_TRANSITION) ;
|
|
if ($$ == COND_ERR) return -1;}
|
|
| TYPE_MEMBER names names ':' names identifier ';'
|
|
@@ -399,6 +466,7 @@ cond_dontaudit_def : DONTAUDIT names names ':' names names ';'
|
|
{ $$ = define_cond_te_avtab(AVRULE_DONTAUDIT);
|
|
if ($$ == COND_ERR) return -1; }
|
|
;
|
|
+ ;
|
|
transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
|
|
{if (define_filename_trans()) return -1; }
|
|
| TYPE_TRANSITION names names ':' names identifier ';'
|
|
@@ -434,15 +502,21 @@ dontaudit_def : DONTAUDIT names names ':' names names ';'
|
|
neverallow_def : NEVERALLOW names names ':' names names ';'
|
|
{if (define_te_avtab(AVRULE_NEVERALLOW)) return -1; }
|
|
;
|
|
+attribute_role_def : ATTRIBUTE_ROLE identifier ';'
|
|
+ {if (define_attrib_role()) return -1; }
|
|
+ ;
|
|
role_type_def : ROLE identifier TYPES names ';'
|
|
{if (define_role_types()) return -1;}
|
|
- | ROLE identifier';'
|
|
- {if (define_role_types()) return -1;}
|
|
+ ;
|
|
+role_attr_def : ROLE identifier opt_attr_list ';'
|
|
+ {if (define_role_attr()) return -1;}
|
|
;
|
|
role_dominance : DOMINANCE '{' roles '}'
|
|
;
|
|
role_trans_def : ROLE_TRANSITION names names identifier ';'
|
|
- {if (define_role_trans()) return -1; }
|
|
+ {if (define_role_trans(0)) return -1; }
|
|
+ | ROLE_TRANSITION names names ':' names identifier ';'
|
|
+ {if (define_role_trans(1)) return -1;}
|
|
;
|
|
role_allow_def : ALLOW names names ';'
|
|
{if (define_role_allow()) return -1; }
|
|
@@ -457,6 +531,9 @@ role_def : ROLE identifier_push ';'
|
|
| ROLE identifier_push '{' roles '}'
|
|
{$$ = define_role_dom((role_datum_t*)$4); if ($$ == 0) return -1;}
|
|
;
|
|
+roleattribute_def : ROLEATTRIBUTE identifier id_comma_list ';'
|
|
+ {if (define_roleattribute()) return -1;}
|
|
+ ;
|
|
opt_constraints : constraints
|
|
|
|
|
;
|
|
@@ -662,7 +739,7 @@ opt_fs_uses : fs_uses
|
|
fs_uses : fs_use_def
|
|
| fs_uses fs_use_def
|
|
;
|
|
-fs_use_def : FSUSEXATTR identifier security_context_def ';'
|
|
+fs_use_def : FSUSEXATTR filesystem security_context_def ';'
|
|
{if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;}
|
|
| FSUSETASK identifier security_context_def ';'
|
|
{if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;}
|
|
@@ -677,11 +754,11 @@ opt_genfs_contexts : genfs_contexts
|
|
genfs_contexts : genfs_context_def
|
|
| genfs_contexts genfs_context_def
|
|
;
|
|
-genfs_context_def : GENFSCON identifier path '-' identifier security_context_def
|
|
+genfs_context_def : GENFSCON filesystem path '-' identifier security_context_def
|
|
{if (define_genfs_context(1)) return -1;}
|
|
- | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
|
|
+ | GENFSCON filesystem path '-' '-' {insert_id("-", 0);} security_context_def
|
|
{if (define_genfs_context(1)) return -1;}
|
|
- | GENFSCON identifier path security_context_def
|
|
+ | GENFSCON filesystem path security_context_def
|
|
{if (define_genfs_context(0)) return -1;}
|
|
;
|
|
ipv4_addr_def : IPV4_ADDR
|
|
@@ -755,6 +832,11 @@ nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; }
|
|
identifier : IDENTIFIER
|
|
{ if (insert_id(yytext,0)) return -1; }
|
|
;
|
|
+filesystem : FILESYSTEM
|
|
+ { if (insert_id(yytext,0)) return -1; }
|
|
+ | IDENTIFIER
|
|
+ { if (insert_id(yytext,0)) return -1; }
|
|
+ ;
|
|
path : PATH
|
|
{ if (insert_id(yytext,0)) return -1; }
|
|
;
|
|
@@ -785,6 +867,8 @@ module_def : MODULE identifier version_identifier ';'
|
|
;
|
|
version_identifier : VERSION_IDENTIFIER
|
|
{ if (insert_id(yytext,0)) return -1; }
|
|
+ | number
|
|
+ { if (insert_id(yytext,0)) return -1; }
|
|
| ipv4_addr_def /* version can look like ipv4 address */
|
|
;
|
|
avrules_block : avrule_decls avrule_user_defs
|
|
@@ -813,8 +897,10 @@ require_class : CLASS identifier names
|
|
require_decl_def : ROLE { $$ = require_role; }
|
|
| TYPE { $$ = require_type; }
|
|
| ATTRIBUTE { $$ = require_attribute; }
|
|
+ | ATTRIBUTE_ROLE { $$ = require_attribute_role; }
|
|
| USER { $$ = require_user; }
|
|
| BOOL { $$ = require_bool; }
|
|
+ | TUNABLE { $$ = require_tunable; }
|
|
| SENSITIVITY { $$ = require_sens; }
|
|
| CATEGORY { $$ = require_cat; }
|
|
;
|
|
diff --git a/libqpol/src/policy_scan.l b/libqpol/src/policy_scan.l
|
|
index 30203cd..b4e3fe1 100644
|
|
--- a/libqpol/src/policy_scan.l
|
|
+++ b/libqpol/src/policy_scan.l
|
|
@@ -3,6 +3,8 @@
|
|
*
|
|
* This file is based upon checkpolicy/policy_scan.l fram NSA's SVN
|
|
* repository. It has been modified to support older policy formats.
|
|
+ * The older format just seems to be FSUSEPSID support (see fs_use_psid
|
|
+ * entry.
|
|
*
|
|
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
|
|
*
|
|
@@ -22,6 +24,7 @@
|
|
|
|
/* FLASK */
|
|
|
|
+/* Required for SETools libqpol services */
|
|
%{
|
|
#undef YY_INPUT
|
|
#define YY_INPUT(b, r, ms) (r = qpol_src_yyinput(b, ms))
|
|
@@ -35,7 +38,12 @@
|
|
|
|
typedef int (* require_func_t)();
|
|
|
|
+/* For SETools libqpol services leave this as policy_parse.h */
|
|
+/* #ifdef ANDROID */
|
|
#include "policy_parse.h"
|
|
+/*#else
|
|
+#include "y.tab.h"
|
|
+#endif */
|
|
|
|
static char linebuf[2][255];
|
|
static unsigned int lno = 0;
|
|
@@ -50,17 +58,16 @@ unsigned long policydb_lineno = 1;
|
|
|
|
unsigned int policydb_errors = 0;
|
|
|
|
+/* These are required for SETools libqpol services */
|
|
/* redefine input so we can read from a string */
|
|
/* borrowed from O'Reilly lex and yacc pg 157 */
|
|
extern char qpol_src_input[];
|
|
extern char *qpol_src_inputptr;/* current position in myinput */
|
|
extern char *qpol_src_inputlim;/* end of data */
|
|
int qpol_src_yyinput(char *buf, int max_size);
|
|
-
|
|
%}
|
|
|
|
-%option nounput
|
|
-%option noyywrap
|
|
+%option noinput nounput noyywrap
|
|
|
|
%array
|
|
letter [A-Za-z]
|
|
@@ -93,6 +100,10 @@ ROLE |
|
|
role { return(ROLE); }
|
|
ROLES |
|
|
roles { return(ROLES); }
|
|
+ROLEATTRIBUTE |
|
|
+roleattribute { return(ROLEATTRIBUTE);}
|
|
+ATTRIBUTE_ROLE |
|
|
+attribute_role { return(ATTRIBUTE_ROLE);}
|
|
TYPES |
|
|
types { return(TYPES); }
|
|
TYPEALIAS |
|
|
@@ -105,6 +116,8 @@ TYPE |
|
|
type { return(TYPE); }
|
|
BOOL |
|
|
bool { return(BOOL); }
|
|
+TUNABLE |
|
|
+tunable { return(TUNABLE); }
|
|
IF |
|
|
if { return(IF); }
|
|
ELSE |
|
|
@@ -234,9 +247,24 @@ policycap |
|
|
POLICYCAP { return(POLICYCAP); }
|
|
permissive |
|
|
PERMISSIVE { return(PERMISSIVE); }
|
|
+default_user |
|
|
+DEFAULT_USER { return(DEFAULT_USER); }
|
|
+default_role |
|
|
+DEFAULT_ROLE { return(DEFAULT_ROLE); }
|
|
+default_type |
|
|
+DEFAULT_TYPE { return(DEFAULT_TYPE); }
|
|
+default_range |
|
|
+DEFAULT_RANGE { return(DEFAULT_RANGE); }
|
|
+low-high |
|
|
+LOW-HIGH { return(LOW_HIGH); }
|
|
+high |
|
|
+HIGH { return(HIGH); }
|
|
+low |
|
|
+LOW { return(LOW); }
|
|
"/"({alnum}|[_\.\-/])* { return(PATH); }
|
|
-\"({alnum}|[_\.\-])+\" { return(FILENAME); }
|
|
+\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); }
|
|
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
|
|
+{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
|
|
{digit}+|0x{hexval}+ { return(NUMBER); }
|
|
{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
|
|
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
|
|
@@ -304,6 +332,7 @@ void set_source_file(const char *name)
|
|
source_file[sizeof(source_file)-1] = '\0';
|
|
}
|
|
|
|
+/* Required for SETools libqpol services */
|
|
int qpol_src_yyinput(char *buf, int max_size)
|
|
{
|
|
int n = max_size < (qpol_src_inputlim - qpol_src_inputptr) ? max_size : (qpol_src_inputlim - qpol_src_inputptr);
|
|
@@ -315,6 +344,7 @@ int qpol_src_yyinput(char *buf, int max_size)
|
|
return n;
|
|
}
|
|
|
|
+/* Required for SETools libqpol services */
|
|
void init_scanner(void)
|
|
{
|
|
yy_flush_buffer(YY_CURRENT_BUFFER);
|
|
diff --git a/libqpol/src/queue.c b/libqpol/src/queue.c
|
|
index 18667d5..45a510a 100644
|
|
--- a/libqpol/src/queue.c
|
|
+++ b/libqpol/src/queue.c
|
|
@@ -6,6 +6,8 @@
|
|
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
|
|
*/
|
|
|
|
+/* No changes for SETools libqpol services - Just the header */
|
|
+
|
|
/* FLASK */
|
|
|
|
/*
|
|
@@ -144,7 +146,9 @@ int queue_map(queue_t q, int (*f) (queue_element_t, void *), void *vp)
|
|
return 0;
|
|
}
|
|
|
|
-void queue_map_remove_on_error(queue_t q, int (*f) (queue_element_t, void *), void (*g) (queue_element_t, void *), void *vp)
|
|
+void queue_map_remove_on_error(queue_t q,
|
|
+ int (*f) (queue_element_t, void *),
|
|
+ void (*g) (queue_element_t, void *), void *vp)
|
|
{
|
|
queue_node_ptr_t p, last, temp;
|
|
int ret;
|
|
diff --git a/libqpol/src/queue.h b/libqpol/src/queue.h
|
|
index bca304b..dca1b2e 100644
|
|
--- a/libqpol/src/queue.h
|
|
+++ b/libqpol/src/queue.h
|
|
@@ -6,6 +6,8 @@
|
|
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
|
|
*/
|
|
|
|
+/* No changes for SETools libqpol services - Just the header */
|
|
+
|
|
/* FLASK */
|
|
|
|
/*
|
|
@@ -21,14 +23,12 @@ typedef void *queue_element_t;
|
|
|
|
typedef struct queue_node *queue_node_ptr_t;
|
|
|
|
-typedef struct queue_node
|
|
-{
|
|
+typedef struct queue_node {
|
|
queue_element_t element;
|
|
queue_node_ptr_t next;
|
|
} queue_node_t;
|
|
|
|
-typedef struct queue_info
|
|
-{
|
|
+typedef struct queue_info {
|
|
queue_node_ptr_t head;
|
|
queue_node_ptr_t tail;
|
|
} queue_info_t;
|
|
@@ -60,7 +60,9 @@ int queue_map(queue_t, int (*f) (queue_element_t, void *), void *);
|
|
then the element will be removed from the queue and the g
|
|
function will be applied to the element.
|
|
*/
|
|
-void queue_map_remove_on_error(queue_t, int (*f) (queue_element_t, void *), void (*g) (queue_element_t, void *), void *);
|
|
+void queue_map_remove_on_error(queue_t,
|
|
+ int (*f) (queue_element_t, void *),
|
|
+ void (*g) (queue_element_t, void *), void *);
|
|
|
|
#endif
|
|
|
|
diff --git a/libqpol/src/rbacrule_query.c b/libqpol/src/rbacrule_query.c
|
|
index 7f84459..28449b3 100644
|
|
--- a/libqpol/src/rbacrule_query.c
|
|
+++ b/libqpol/src/rbacrule_query.c
|
|
@@ -334,6 +334,29 @@ int qpol_role_trans_get_target_type(const qpol_policy_t * policy, const qpol_rol
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
+int qpol_role_trans_get_object_class(const qpol_policy_t * policy, const qpol_role_trans_t * rule, const qpol_class_t ** obj_class)
|
|
+{
|
|
+ policydb_t *db = NULL;
|
|
+ role_trans_t *rt = NULL;
|
|
+
|
|
+ if (obj_class) {
|
|
+ *obj_class = NULL;
|
|
+ }
|
|
+
|
|
+ if (!policy || !rule || !obj_class) {
|
|
+ ERR(policy, "%s", strerror(EINVAL));
|
|
+ errno = EINVAL;
|
|
+ return STATUS_ERR;
|
|
+ }
|
|
+
|
|
+ db = &policy->p->p;
|
|
+ rt = (role_trans_t *) rule;
|
|
+
|
|
+ *obj_class = (qpol_class_t *) db->class_val_to_struct[rt->tclass - 1];
|
|
+
|
|
+ return STATUS_SUCCESS;
|
|
+}
|
|
+
|
|
int qpol_role_trans_get_default_role(const qpol_policy_t * policy, const qpol_role_trans_t * rule, const qpol_role_t ** dflt)
|
|
{
|
|
policydb_t *db = NULL;
|
|
diff --git a/libqpol/src/syn_rule_query.c b/libqpol/src/syn_rule_query.c
|
|
index 3e63204..d7578f1 100644
|
|
--- a/libqpol/src/syn_rule_query.c
|
|
+++ b/libqpol/src/syn_rule_query.c
|
|
@@ -67,7 +67,7 @@ static void *syn_rule_class_state_get_cur(const qpol_iterator_t * iter)
|
|
return NULL;
|
|
}
|
|
|
|
- return db->class_val_to_struct[srcs->cur->class - 1];
|
|
+ return db->class_val_to_struct[srcs->cur->tclass - 1];
|
|
}
|
|
|
|
static int syn_rule_class_state_next(qpol_iterator_t * iter)
|
|
@@ -465,10 +465,10 @@ int qpol_syn_avrule_get_perm_iter(const qpol_policy_t * policy, const qpol_syn_a
|
|
}
|
|
|
|
for (node = internal_rule->perms; node; node = node->next) {
|
|
- for (i = 0; i < db->class_val_to_struct[node->class - 1]->permissions.nprim; i++) {
|
|
+ for (i = 0; i < db->class_val_to_struct[node->tclass - 1]->permissions.nprim; i++) {
|
|
if (!(node->data & (1 << i)))
|
|
continue;
|
|
- tmp = sepol_av_to_string(db, node->class, (sepol_access_vector_t) (1 << i));
|
|
+ tmp = sepol_av_to_string(db, node->tclass, (sepol_access_vector_t) (1 << i));
|
|
if (tmp) {
|
|
tmp++; /* remove prepended space */
|
|
for (cur = 0; cur < perm_list_sz; cur++)
|
|
diff --git a/libqpol/swig/qpol.i b/libqpol/swig/qpol.i
|
|
index 45a2403..b604488 100644
|
|
--- a/libqpol/swig/qpol.i
|
|
+++ b/libqpol/swig/qpol.i
|
|
@@ -228,7 +228,7 @@ SWIGEXPORT int Tqpol_Init(Tcl_Interp *interp) {
|
|
#define QPOL_MODULE_OTHER 2
|
|
typedef struct qpol_module {} qpol_module_t;
|
|
%extend qpol_module_t {
|
|
- qpol_module_t(const char *path) {
|
|
+ qpol_module(const char *path) {
|
|
qpol_module_t *m;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_module_create_from_file(path, &m)) {
|
|
@@ -239,10 +239,11 @@ typedef struct qpol_module {} qpol_module_t;
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_module_t() {
|
|
+ ~qpol_module() {
|
|
qpol_module_destroy(&self);
|
|
};
|
|
- const char *get_path() {
|
|
+ %rename(get_path) wrap_get_path;
|
|
+ const char *wrap_get_path() {
|
|
const char *p;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_module_get_path(self, &p)) {
|
|
@@ -253,7 +254,8 @@ typedef struct qpol_module {} qpol_module_t;
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- const char *get_name() {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name() {
|
|
const char *n;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_module_get_name(self, &n)) {
|
|
@@ -264,7 +266,8 @@ typedef struct qpol_module {} qpol_module_t;
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- const char *get_version() {
|
|
+ %rename(get_version) wrap_get_version;
|
|
+ const char *wrap_get_version() {
|
|
const char *v;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_module_get_version(self, &v)) {
|
|
@@ -275,7 +278,8 @@ typedef struct qpol_module {} qpol_module_t;
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- int get_type() {
|
|
+ %rename(get_type) wrap_get_type;
|
|
+ int wrap_get_type() {
|
|
int t;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_module_get_type(self, &t)) {
|
|
@@ -285,7 +289,8 @@ typedef struct qpol_module {} qpol_module_t;
|
|
fail:
|
|
return t;
|
|
};
|
|
- int get_enabled() {
|
|
+ %rename(get_enabled) wrap_get_enabled;
|
|
+ int wrap_get_enabled() {
|
|
int e;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_module_get_enabled(self, &e)) {
|
|
@@ -295,7 +300,8 @@ typedef struct qpol_module {} qpol_module_t;
|
|
fail:
|
|
return e;
|
|
};
|
|
- void set_enabled(int state) {
|
|
+ %rename(set_enabled) wrap_set_enabled;
|
|
+ void wrap_set_enabled(int state) {
|
|
BEGIN_EXCEPTION
|
|
if (qpol_module_set_enabled(self, state)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set module state");
|
|
@@ -326,11 +332,18 @@ typedef enum qpol_capability
|
|
QPOL_CAP_MODULES,
|
|
QPOL_CAP_RULES_LOADED,
|
|
QPOL_CAP_SOURCE,
|
|
- QPOL_CAP_NEVERALLOW
|
|
+ QPOL_CAP_NEVERALLOW,
|
|
+ QPOL_CAP_POLCAPS,
|
|
+ QPOL_CAP_BOUNDS,
|
|
+ QPOL_CAP_DEFAULT_OBJECTS,
|
|
+ QPOL_CAP_DEFAULT_TYPE,
|
|
+ QPOL_CAP_PERMISSIVE,
|
|
+ QPOL_CAP_FILENAME_TRANS,
|
|
+ QPOL_CAP_ROLETRANS
|
|
} qpol_capability_e;
|
|
|
|
%extend qpol_policy_t {
|
|
- qpol_policy_t(const char *path, const int options) {
|
|
+ qpol_policy(const char *path, const int options) {
|
|
qpol_policy_t *p;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_policy_open_from_file(path, &p, qpol_swig_message_callback, qpol_swig_message_callback_arg, options) < 0) {
|
|
@@ -341,10 +354,11 @@ typedef enum qpol_capability
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~qpol_policy_t() {
|
|
+ ~qpol_policy() {
|
|
qpol_policy_destroy(&self);
|
|
};
|
|
- void reevaluate_conds() {
|
|
+ %rename(reevaluate_conds) wrap_reevaluate_conds;
|
|
+ void wrap_reevaluate_conds() {
|
|
BEGIN_EXCEPTION
|
|
if (qpol_policy_reevaluate_conds(self)) {
|
|
SWIG_exception(SWIG_ValueError, "Error evaluating conditional expressions");
|
|
@@ -353,7 +367,8 @@ typedef enum qpol_capability
|
|
fail:
|
|
return;
|
|
};
|
|
- void append_module(qpol_module_t *mod) {
|
|
+ %rename(append_module) wrap_append_module;
|
|
+ void wrap_append_module(qpol_module_t *mod) {
|
|
BEGIN_EXCEPTION
|
|
if (qpol_policy_append_module(self, mod)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of Memory");
|
|
@@ -362,7 +377,8 @@ typedef enum qpol_capability
|
|
fail:
|
|
return;
|
|
};
|
|
- void rebuild (const int options) {
|
|
+ %rename(rebuild) wrap_rebuild;
|
|
+ void wrap_rebuild (const int options) {
|
|
BEGIN_EXCEPTION
|
|
if (qpol_policy_rebuild(self, options)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Failed rebuilding policy");
|
|
@@ -376,15 +392,25 @@ typedef enum qpol_capability
|
|
(void)qpol_policy_get_policy_version(self, &v); /* only error is on null parameters neither can be here */
|
|
return (int) v;
|
|
};
|
|
- int get_type () {
|
|
+
|
|
+ int get_handle_unknown () {
|
|
+ unsigned int h;
|
|
+ (void)qpol_policy_get_policy_handle_unknown(self, &h);
|
|
+ return (int) h;
|
|
+ };
|
|
+
|
|
+ %rename(get_type) wrap_get_type;
|
|
+ int wrap_get_type () {
|
|
int t;
|
|
(void)qpol_policy_get_type(self, &t); /* only error is on null parameters neither can be here */
|
|
return t;
|
|
};
|
|
- int has_capability (qpol_capability_e cap) {
|
|
+ %rename(has_capability) wrap_has_capability;
|
|
+ int wrap_has_capability (qpol_capability_e cap) {
|
|
return qpol_policy_has_capability(self, cap);
|
|
};
|
|
- void build_syn_rule_table() {
|
|
+ %rename(build_syn_rule_table) wrap_build_syn_rule_table;
|
|
+ void wrap_build_syn_rule_table() {
|
|
BEGIN_EXCEPTION
|
|
if (qpol_policy_build_syn_rule_table(self)) {
|
|
SWIG_exception(SWIG_MemoryError, "Out of Memory");
|
|
@@ -394,7 +420,8 @@ typedef enum qpol_capability
|
|
return;
|
|
};
|
|
%newobject get_module_iter();
|
|
- qpol_iterator_t *get_module_iter() {
|
|
+ %rename(get_module_iter) wrap_get_module_iter;
|
|
+ qpol_iterator_t *wrap_get_module_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_module_iter(self, &iter)) {
|
|
@@ -406,7 +433,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_type_iter();
|
|
- qpol_iterator_t *get_type_iter() {
|
|
+ %rename(get_type_iter) wrap_get_type_iter;
|
|
+ qpol_iterator_t *wrap_get_type_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_type_iter(self, &iter)) {
|
|
@@ -418,7 +446,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_role_iter();
|
|
- qpol_iterator_t *get_role_iter() {
|
|
+ %rename(get_role_iter) wrap_get_role_iter;
|
|
+ qpol_iterator_t *wrap_get_role_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_role_iter(self, &iter)) {
|
|
@@ -430,7 +459,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_level_iter();
|
|
- qpol_iterator_t *get_level_iter() {
|
|
+ %rename(get_level_iter) wrap_get_level_iter;
|
|
+ qpol_iterator_t *wrap_get_level_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_level_iter(self, &iter)) {
|
|
@@ -442,7 +472,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_cat_iter();
|
|
- qpol_iterator_t *get_cat_iter() {
|
|
+ %rename(get_cat_iter) wrap_get_cat_iter;
|
|
+ qpol_iterator_t *wrap_get_cat_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_cat_iter(self, &iter)) {
|
|
@@ -454,7 +485,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_user_iter();
|
|
- qpol_iterator_t *get_user_iter() {
|
|
+ %rename(get_user_iter) wrap_get_user_iter;
|
|
+ qpol_iterator_t *wrap_get_user_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_user_iter(self, &iter)) {
|
|
@@ -466,7 +498,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_bool_iter();
|
|
- qpol_iterator_t *get_bool_iter() {
|
|
+ %rename(get_bool_iter) wrap_get_bool_iter;
|
|
+ qpol_iterator_t *wrap_get_bool_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_bool_iter(self, &iter)) {
|
|
@@ -478,7 +511,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_class_iter(char*);
|
|
- qpol_iterator_t *get_class_iter(char *perm=NULL) {
|
|
+ %rename(get_class_iter) wrap_get_class_iter;
|
|
+ qpol_iterator_t *wrap_get_class_iter(char *perm=NULL) {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (perm) {
|
|
@@ -496,7 +530,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_common_iter(char*);
|
|
- qpol_iterator_t *get_common_iter(char *perm=NULL) {
|
|
+ %rename(get_common_iter) wrap_get_common_iter;
|
|
+ qpol_iterator_t *wrap_get_common_iter(char *perm=NULL) {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (perm) {
|
|
@@ -514,7 +549,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_fs_use_iter();
|
|
- qpol_iterator_t *get_fs_use_iter() {
|
|
+ %rename(get_fs_use_iter) wrap_get_fs_use_iter;
|
|
+ qpol_iterator_t *wrap_get_fs_use_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_fs_use_iter(self, &iter)) {
|
|
@@ -526,7 +562,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_genfscon_iter();
|
|
- qpol_iterator_t *get_genfscon_iter() {
|
|
+ %rename(get_genfscon_iter) wrap_get_genfscon_iter;
|
|
+ qpol_iterator_t *wrap_get_genfscon_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_genfscon_iter(self, &iter)) {
|
|
@@ -538,7 +575,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_isid_iter();
|
|
- qpol_iterator_t *get_isid_iter() {
|
|
+ %rename(get_isid_iter) wrap_get_isid_iter;
|
|
+ qpol_iterator_t *wrap_get_isid_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_isid_iter(self, &iter)) {
|
|
@@ -550,7 +588,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_netifcon_iter();
|
|
- qpol_iterator_t *get_netifcon_iter() {
|
|
+ %rename(get_netifcon_iter) wrap_get_netifcon_iter;
|
|
+ qpol_iterator_t *wrap_get_netifcon_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_netifcon_iter(self, &iter)) {
|
|
@@ -562,7 +601,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_nodecon_iter();
|
|
- qpol_iterator_t *get_nodecon_iter() {
|
|
+ %rename(get_nodecon_iter) wrap_get_nodecon_iter;
|
|
+ qpol_iterator_t *wrap_get_nodecon_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_nodecon_iter(self, &iter)) {
|
|
@@ -574,7 +614,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_portcon_iter();
|
|
- qpol_iterator_t *get_portcon_iter() {
|
|
+ %rename(get_portcon_iter) wrap_get_portcon_iter;
|
|
+ qpol_iterator_t *wrap_get_portcon_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_portcon_iter(self, &iter)) {
|
|
@@ -586,7 +627,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_constraint_iter();
|
|
- qpol_iterator_t *get_constraint_iter() {
|
|
+ %rename(get_constraint_iter) wrap_get_constraint_iter;
|
|
+ qpol_iterator_t *wrap_get_constraint_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_constraint_iter(self, &iter)) {
|
|
@@ -598,7 +640,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_validatetrans_iter();
|
|
- qpol_iterator_t *get_validatetrans_iter() {
|
|
+ %rename(get_validatetrans_iter) wrap_get_validatetrans_iter;
|
|
+ qpol_iterator_t *wrap_get_validatetrans_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_validatetrans_iter(self, &iter)) {
|
|
@@ -610,7 +653,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_role_allow_iter();
|
|
- qpol_iterator_t *get_role_allow_iter() {
|
|
+ %rename(get_role_allow_iter) wrap_get_role_allow_iter;
|
|
+ qpol_iterator_t *wrap_get_role_allow_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_role_allow_iter(self, &iter)) {
|
|
@@ -622,7 +666,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_role_trans_iter();
|
|
- qpol_iterator_t *get_role_trans_iter() {
|
|
+ %rename(get_role_trans_iter) wrap_get_role_trans_iter;
|
|
+ qpol_iterator_t *wrap_get_role_trans_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_role_trans_iter(self, &iter)) {
|
|
@@ -634,7 +679,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_range_trans_iter();
|
|
- qpol_iterator_t *get_range_trans_iter() {
|
|
+ %rename(get_range_trans_iter) wrap_get_range_trans_iter;
|
|
+ qpol_iterator_t *wrap_get_range_trans_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_range_trans_iter(self, &iter)) {
|
|
@@ -646,7 +692,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_avrule_iter(int);
|
|
- qpol_iterator_t *get_avrule_iter(int rule_types) {
|
|
+ %rename(get_avrule_iter) wrap_get_avrule_iter;
|
|
+ qpol_iterator_t *wrap_get_avrule_iter(int rule_types) {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_avrule_iter(self, rule_types, &iter)) {
|
|
@@ -658,7 +705,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_terule_iter(int);
|
|
- qpol_iterator_t *get_terule_iter(int rule_types) {
|
|
+ %rename(get_terule_iter) wrap_get_terule_iter;
|
|
+ qpol_iterator_t *wrap_get_terule_iter(int rule_types) {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_terule_iter(self, rule_types, &iter)) {
|
|
@@ -670,7 +718,8 @@ typedef enum qpol_capability
|
|
return NULL;
|
|
};
|
|
%newobject get_cond_iter();
|
|
- qpol_iterator_t *get_cond_iter() {
|
|
+ %rename(get_cond_iter) wrap_get_cond_iter;
|
|
+ qpol_iterator_t *wrap_get_cond_iter() {
|
|
BEGIN_EXCEPTION
|
|
qpol_iterator_t *iter;
|
|
if (qpol_policy_get_cond_iter(self, &iter)) {
|
|
@@ -681,23 +730,76 @@ typedef enum qpol_capability
|
|
fail:
|
|
return NULL;
|
|
};
|
|
+ %newobject get_filename_trans_iter();
|
|
+ %rename(get_filename_trans_iter) wrap_get_filename_trans_iter;
|
|
+ qpol_iterator_t *wrap_get_filename_trans_iter() {
|
|
+ BEGIN_EXCEPTION
|
|
+ qpol_iterator_t *iter;
|
|
+ if (qpol_policy_get_filename_trans_iter(self, &iter)) {
|
|
+ SWIG_exception(SWIG_MemoryError, "Out of Memory");
|
|
+ }
|
|
+ return iter;
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return NULL;
|
|
+ };
|
|
+ %newobject get_permissive_iter();
|
|
+ %rename(get_permissive_iter) wrap_get_permissive_iter;
|
|
+ qpol_iterator_t *wrap_get_permissive_iter() {
|
|
+ BEGIN_EXCEPTION
|
|
+ qpol_iterator_t *iter;
|
|
+ if (qpol_policy_get_permissive_iter(self, &iter)) {
|
|
+ SWIG_exception(SWIG_MemoryError, "Out of Memory");
|
|
+ }
|
|
+ return iter;
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return NULL;
|
|
+ };
|
|
+ %newobject get_typebounds_iter();
|
|
+ %rename(get_typebounds_iter) wrap_get_typebounds_iter;
|
|
+ qpol_iterator_t *wrap_get_typebounds_iter() {
|
|
+ BEGIN_EXCEPTION
|
|
+ qpol_iterator_t *iter;
|
|
+ if (qpol_policy_get_typebounds_iter(self, &iter)) {
|
|
+ SWIG_exception(SWIG_MemoryError, "Out of Memory");
|
|
+ }
|
|
+ return iter;
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return NULL;
|
|
+ };
|
|
+ %newobject get_polcap_iter();
|
|
+ %rename(get_polcap_iter) wrap_get_polcap_iter;
|
|
+ qpol_iterator_t *wrap_get_polcap_iter() {
|
|
+ BEGIN_EXCEPTION
|
|
+ qpol_iterator_t *iter;
|
|
+ if (qpol_policy_get_polcap_iter(self, &iter)) {
|
|
+ SWIG_exception(SWIG_MemoryError, "Out of Memory");
|
|
+ }
|
|
+ return iter;
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return NULL;
|
|
+ };
|
|
};
|
|
|
|
/* qpol iterator */
|
|
typedef struct qpol_iterator {} qpol_iterator_t;
|
|
%extend qpol_iterator_t {
|
|
/* user never directly creates, but SWIG expects a constructor */
|
|
- qpol_iterator_t() {
|
|
+ qpol_iterator() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_TypeError, "User may not create iterators difectly");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_iterator_t() {
|
|
+ ~qpol_iterator() {
|
|
qpol_iterator_destroy(&self);
|
|
};
|
|
- void *get_item() {
|
|
+ %rename(get_item) wrap_get_item;
|
|
+ void *wrap_get_item() {
|
|
BEGIN_EXCEPTION
|
|
void *i;
|
|
if (qpol_iterator_get_item(self, &i)) {
|
|
@@ -708,7 +810,8 @@ typedef struct qpol_iterator {} qpol_iterator_t;
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- void next() {
|
|
+ %rename(next) wrap_next;
|
|
+ void wrap_next() {
|
|
BEGIN_EXCEPTION
|
|
if (qpol_iterator_next(self)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Error advancing iterator");
|
|
@@ -717,10 +820,12 @@ typedef struct qpol_iterator {} qpol_iterator_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- int end() {
|
|
+ %rename(end) wrap_end;
|
|
+ int wrap_end() {
|
|
return qpol_iterator_end(self);
|
|
};
|
|
- size_t get_size() {
|
|
+ %rename(get_size) wrap_get_size;
|
|
+ size_t wrap_get_size() {
|
|
BEGIN_EXCEPTION
|
|
size_t s;
|
|
if (qpol_iterator_get_size(self, &s)) {
|
|
@@ -736,7 +841,7 @@ typedef struct qpol_iterator {} qpol_iterator_t;
|
|
/* qpol type */
|
|
typedef struct qpol_type {} qpol_type_t;
|
|
%extend qpol_type_t {
|
|
- qpol_type_t(qpol_policy_t *p, const char *name) {
|
|
+ qpol_type(qpol_policy_t *p, const char *name) {
|
|
BEGIN_EXCEPTION
|
|
const qpol_type_t *t;
|
|
if (qpol_policy_get_type_by_name(p, name, &t)) {
|
|
@@ -747,11 +852,12 @@ typedef struct qpol_type {} qpol_type_t;
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_type_t() {
|
|
+ ~qpol_type() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- const char *get_name(qpol_policy_t *p) {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name(qpol_policy_t *p) {
|
|
BEGIN_EXCEPTION
|
|
const char *name;
|
|
if (qpol_type_get_name(p, self, &name)) {
|
|
@@ -762,7 +868,8 @@ typedef struct qpol_type {} qpol_type_t;
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- int get_value(qpol_policy_t *p) {
|
|
+ %rename(get_value) wrap_get_value;
|
|
+ int wrap_get_value(qpol_policy_t *p) {
|
|
uint32_t v;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_type_get_value(p, self, &v)) {
|
|
@@ -772,7 +879,8 @@ typedef struct qpol_type {} qpol_type_t;
|
|
fail:
|
|
return (int) v;
|
|
};
|
|
- int get_isalias(qpol_policy_t *p) {
|
|
+ %rename(get_isalias) wrap_get_isalias;
|
|
+ int wrap_get_isalias(qpol_policy_t *p) {
|
|
unsigned char i;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_type_get_isalias(p, self, &i)) {
|
|
@@ -782,7 +890,8 @@ typedef struct qpol_type {} qpol_type_t;
|
|
fail:
|
|
return (int)i;
|
|
};
|
|
- int get_isattr(qpol_policy_t *p) {
|
|
+ %rename(get_isattr) wrap_get_isattr;
|
|
+ int wrap_get_isattr(qpol_policy_t *p) {
|
|
unsigned char i;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_type_get_isattr(p, self, &i)) {
|
|
@@ -792,7 +901,8 @@ typedef struct qpol_type {} qpol_type_t;
|
|
fail:
|
|
return (int)i;
|
|
};
|
|
- int get_ispermissive(qpol_policy_t *p) {
|
|
+ %rename(get_ispermissive) wrap_get_ispermissive;
|
|
+ int wrap_get_ispermissive(qpol_policy_t *p) {
|
|
unsigned char i;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_type_get_ispermissive(p, self, &i)) {
|
|
@@ -803,7 +913,8 @@ typedef struct qpol_type {} qpol_type_t;
|
|
return (int)i;
|
|
};
|
|
%newobject get_type_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_type_iter(qpol_policy_t *p) {
|
|
+ %rename(get_type_iter) wrap_get_type_iter;
|
|
+ qpol_iterator_t *wrap_get_type_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
int retv = qpol_type_get_type_iter(p, self, &iter);
|
|
@@ -817,7 +928,8 @@ typedef struct qpol_type {} qpol_type_t;
|
|
return iter;
|
|
};
|
|
%newobject get_attr_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_attr_iter(qpol_policy_t *p) {
|
|
+ %rename(get_attr_iter) wrap_get_attr_iter;
|
|
+ qpol_iterator_t *wrap_get_attr_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
int retv = qpol_type_get_attr_iter(p, self, &iter);
|
|
@@ -831,7 +943,8 @@ typedef struct qpol_type {} qpol_type_t;
|
|
return iter;
|
|
};
|
|
%newobject get_alias_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_alias_iter(qpol_policy_t *p) {
|
|
+ %rename(get_alias_iter) wrap_get_alias_iter;
|
|
+ qpol_iterator_t *wrap_get_alias_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_type_get_alias_iter(p, self, &iter)) {
|
|
@@ -841,6 +954,18 @@ typedef struct qpol_type {} qpol_type_t;
|
|
fail:
|
|
return iter;
|
|
};
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name(qpol_policy_t *p) {
|
|
+ BEGIN_EXCEPTION
|
|
+ const char *name;
|
|
+ if (qpol_permissive_get_name(p, self, &name)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get permissive type name");
|
|
+ }
|
|
+ return name;
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return NULL;
|
|
+ };
|
|
};
|
|
%inline %{
|
|
qpol_type_t *qpol_type_from_void(void *x) {
|
|
@@ -851,7 +976,7 @@ typedef struct qpol_type {} qpol_type_t;
|
|
/* qpol role */
|
|
typedef struct qpol_role {} qpol_role_t;
|
|
%extend qpol_role_t {
|
|
- qpol_role_t(qpol_policy_t *p, const char *name) {
|
|
+ qpol_role(qpol_policy_t *p, const char *name) {
|
|
const qpol_role_t *r;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_policy_get_role_by_name(p, name, &r)) {
|
|
@@ -862,11 +987,12 @@ typedef struct qpol_role {} qpol_role_t;
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_role_t() {
|
|
+ ~qpol_role() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- int get_value (qpol_policy_t *p) {
|
|
+ %rename(get_value) wrap_get_value;
|
|
+ int wrap_get_value (qpol_policy_t *p) {
|
|
uint32_t v;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_role_get_value(p, self, &v)) {
|
|
@@ -876,7 +1002,8 @@ typedef struct qpol_role {} qpol_role_t;
|
|
fail:
|
|
return (int) v;
|
|
};
|
|
- const char *get_name(qpol_policy_t *p) {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name(qpol_policy_t *p) {
|
|
const char *name;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_role_get_name(p, self, &name)) {
|
|
@@ -888,7 +1015,8 @@ typedef struct qpol_role {} qpol_role_t;
|
|
return NULL;
|
|
};
|
|
%newobject get_type_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_type_iter(qpol_policy_t *p) {
|
|
+ %rename(get_type_iter) wrap_get_type_iter;
|
|
+ qpol_iterator_t *wrap_get_type_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_role_get_type_iter(p, self, &iter)) {
|
|
@@ -899,7 +1027,8 @@ typedef struct qpol_role {} qpol_role_t;
|
|
return iter;
|
|
};
|
|
%newobject get_dominate_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_dominate_iter(qpol_policy_t *p) {
|
|
+ %rename(get_dominate_iter) wrap_get_dominate_iter;
|
|
+ qpol_iterator_t *wrap_get_dominate_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_role_get_dominate_iter(p, self, &iter)) {
|
|
@@ -919,7 +1048,7 @@ typedef struct qpol_role {} qpol_role_t;
|
|
/* qpol level */
|
|
typedef struct qpol_level {} qpol_level_t;
|
|
%extend qpol_level_t {
|
|
- qpol_level_t(qpol_policy_t *p, const char *name) {
|
|
+ qpol_level(qpol_policy_t *p, const char *name) {
|
|
const qpol_level_t *l;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_policy_get_level_by_name(p, name, &l)) {
|
|
@@ -930,11 +1059,12 @@ typedef struct qpol_level {} qpol_level_t;
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_level_t() {
|
|
+ ~qpol_level() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- int get_isalias(qpol_policy_t *p) {
|
|
+ %rename(get_isalias) wrap_get_isalias;
|
|
+ int wrap_get_isalias(qpol_policy_t *p) {
|
|
unsigned char i;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_level_get_isalias(p, self, &i)) {
|
|
@@ -944,7 +1074,8 @@ typedef struct qpol_level {} qpol_level_t;
|
|
fail:
|
|
return (int)i;
|
|
};
|
|
- int get_value(qpol_policy_t *p) {
|
|
+ %rename(get_value) wrap_get_value;
|
|
+ int wrap_get_value(qpol_policy_t *p) {
|
|
uint32_t v;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_level_get_value(p, self, &v)) {
|
|
@@ -954,7 +1085,8 @@ typedef struct qpol_level {} qpol_level_t;
|
|
fail:
|
|
return (int) v;
|
|
};
|
|
- const char *get_name(qpol_policy_t *p) {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name(qpol_policy_t *p) {
|
|
const char *name;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_level_get_name(p, self, &name)) {
|
|
@@ -966,7 +1098,8 @@ typedef struct qpol_level {} qpol_level_t;
|
|
return NULL;
|
|
};
|
|
%newobject get_cat_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_cat_iter(qpol_policy_t *p) {
|
|
+ %rename(get_cat_iter) wrap_get_cat_iter;
|
|
+ qpol_iterator_t *wrap_get_cat_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_level_get_cat_iter(p, self, &iter)) {
|
|
@@ -977,7 +1110,8 @@ typedef struct qpol_level {} qpol_level_t;
|
|
return iter;
|
|
};
|
|
%newobject get_alias_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_alias_iter(qpol_policy_t *p) {
|
|
+ %rename(get_alias_iter) wrap_get_alias_iter;
|
|
+ qpol_iterator_t *wrap_get_alias_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_level_get_alias_iter(p, self, &iter)) {
|
|
@@ -997,7 +1131,7 @@ typedef struct qpol_level {} qpol_level_t;
|
|
/* qpol cat */
|
|
typedef struct qpol_cat {} qpol_cat_t;
|
|
%extend qpol_cat_t {
|
|
- qpol_cat_t(qpol_policy_t *p, const char *name) {
|
|
+ qpol_cat(qpol_policy_t *p, const char *name) {
|
|
const qpol_cat_t *c;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_policy_get_cat_by_name(p, name, &c)) {
|
|
@@ -1008,11 +1142,12 @@ typedef struct qpol_cat {} qpol_cat_t;
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_cat_t() {
|
|
+ ~qpol_cat() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- int get_isalias(qpol_policy_t *p) {
|
|
+ %rename(get_isalias) wrap_get_isalias;
|
|
+ int wrap_get_isalias(qpol_policy_t *p) {
|
|
unsigned char i;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_cat_get_isalias(p, self, &i)) {
|
|
@@ -1022,7 +1157,8 @@ typedef struct qpol_cat {} qpol_cat_t;
|
|
fail:
|
|
return (int)i;
|
|
};
|
|
- int get_value(qpol_policy_t *p) {
|
|
+ %rename(get_value) wrap_get_value;
|
|
+ int wrap_get_value(qpol_policy_t *p) {
|
|
uint32_t v;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_cat_get_value(p, self, &v)) {
|
|
@@ -1032,7 +1168,8 @@ typedef struct qpol_cat {} qpol_cat_t;
|
|
fail:
|
|
return (int) v;
|
|
};
|
|
- const char *get_name(qpol_policy_t *p) {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name(qpol_policy_t *p) {
|
|
const char *name;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_cat_get_name(p, self, &name)) {
|
|
@@ -1044,7 +1181,8 @@ typedef struct qpol_cat {} qpol_cat_t;
|
|
return NULL;
|
|
};
|
|
%newobject get_alias_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_alias_iter(qpol_policy_t *p) {
|
|
+ %rename(get_alias_iter) wrap_get_alias_iter;
|
|
+ qpol_iterator_t *wrap_get_alias_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_cat_get_alias_iter(p, self, &iter)) {
|
|
@@ -1064,18 +1202,19 @@ typedef struct qpol_cat {} qpol_cat_t;
|
|
/* qpol mls range */
|
|
typedef struct qpol_mls_range {} qpol_mls_range_t;
|
|
%extend qpol_mls_range_t {
|
|
- qpol_mls_range_t() {
|
|
+ qpol_mls_range() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_mls_range_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~qpol_mls_range_t() {
|
|
+ ~qpol_mls_range() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- const qpol_mls_level_t *get_high_level(qpol_policy_t *p) {
|
|
+ %rename(get_high_level) wrap_get_high_level;
|
|
+ const qpol_mls_level_t *wrap_get_high_level(qpol_policy_t *p) {
|
|
const qpol_mls_level_t *l;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_mls_range_get_high_level(p, self, &l)) {
|
|
@@ -1085,7 +1224,8 @@ typedef struct qpol_mls_range {} qpol_mls_range_t;
|
|
fail:
|
|
return l;
|
|
};
|
|
- const qpol_mls_level_t *get_low_level(qpol_policy_t *p) {
|
|
+ %rename(get_low_level) wrap_get_low_level;
|
|
+ const qpol_mls_level_t *wrap_get_low_level(qpol_policy_t *p) {
|
|
const qpol_mls_level_t *l;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_mls_range_get_low_level(p, self, &l)) {
|
|
@@ -1105,18 +1245,19 @@ typedef struct qpol_mls_range {} qpol_mls_range_t;
|
|
/* qpol mls level */
|
|
typedef struct qpol_mls_level {} qpol_mls_level_t;
|
|
%extend qpol_mls_level_t {
|
|
- qpol_mls_level_t() {
|
|
+ qpol_mls_level() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_mls_level_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
}
|
|
- ~qpol_mls_level_t() {
|
|
+ ~qpol_mls_level() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- const char *get_sens_name(qpol_policy_t *p) {
|
|
+ %rename(get_sens_name) wrap_get_sens_name;
|
|
+ const char *wrap_get_sens_name(qpol_policy_t *p) {
|
|
const char *name;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_mls_level_get_sens_name(p, self, &name)) {
|
|
@@ -1127,7 +1268,8 @@ typedef struct qpol_mls_level {} qpol_mls_level_t;
|
|
return name;
|
|
};
|
|
%newobject get_cat_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_cat_iter(qpol_policy_t *p) {
|
|
+ %rename(get_cat_iter) wrap_get_cat_iter;
|
|
+ qpol_iterator_t *wrap_get_cat_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_mls_level_get_cat_iter(p, self, &iter)) {
|
|
@@ -1147,7 +1289,7 @@ typedef struct qpol_mls_level {} qpol_mls_level_t;
|
|
/* qpol user */
|
|
typedef struct qpol_user {} qpol_user_t;
|
|
%extend qpol_user_t {
|
|
- qpol_user_t(qpol_policy_t *p, const char *name) {
|
|
+ qpol_user(qpol_policy_t *p, const char *name) {
|
|
const qpol_user_t *u;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_policy_get_user_by_name(p, name, &u)) {
|
|
@@ -1158,11 +1300,12 @@ typedef struct qpol_user {} qpol_user_t;
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_user_t() {
|
|
+ ~qpol_user() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- int get_value(qpol_policy_t *p) {
|
|
+ %rename(get_value) wrap_get_value;
|
|
+ int wrap_get_value(qpol_policy_t *p) {
|
|
uint32_t v;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_user_get_value(p, self, &v)) {
|
|
@@ -1173,7 +1316,8 @@ typedef struct qpol_user {} qpol_user_t;
|
|
return (int) v;
|
|
};
|
|
%newobject get_role_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_role_iter(qpol_policy_t *p) {
|
|
+ %rename(get_role_iter) wrap_get_role_iter;
|
|
+ qpol_iterator_t *wrap_get_role_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_user_get_role_iter(p, self, &iter)) {
|
|
@@ -1183,7 +1327,8 @@ typedef struct qpol_user {} qpol_user_t;
|
|
fail:
|
|
return iter;
|
|
};
|
|
- const qpol_mls_range_t *get_range(qpol_policy_t *p) {
|
|
+ %rename(get_range) wrap_get_range;
|
|
+ const qpol_mls_range_t *wrap_get_range(qpol_policy_t *p) {
|
|
const qpol_mls_range_t *r;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_user_get_range(p, self, &r)) {
|
|
@@ -1193,7 +1338,8 @@ typedef struct qpol_user {} qpol_user_t;
|
|
fail:
|
|
return r;
|
|
};
|
|
- const char *get_name(qpol_policy_t *p) {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name(qpol_policy_t *p) {
|
|
const char *name;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_user_get_name(p, self, &name)) {
|
|
@@ -1203,7 +1349,8 @@ typedef struct qpol_user {} qpol_user_t;
|
|
fail:
|
|
return name;
|
|
};
|
|
- const qpol_mls_level_t *get_dfltlevel(qpol_policy_t *p) {
|
|
+ %rename(get_dfltlevel) wrap_get_dfltlevel;
|
|
+ const qpol_mls_level_t *wrap_get_dfltlevel(qpol_policy_t *p) {
|
|
const qpol_mls_level_t *l;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_user_get_dfltlevel(p, self, &l)) {
|
|
@@ -1223,7 +1370,7 @@ typedef struct qpol_user {} qpol_user_t;
|
|
/* qpol bool */
|
|
typedef struct qpol_bool {} qpol_bool_t;
|
|
%extend qpol_bool_t {
|
|
- qpol_bool_t(qpol_policy_t *p, const char *name) {
|
|
+ qpol_bool(qpol_policy_t *p, const char *name) {
|
|
qpol_bool_t *b;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_policy_get_bool_by_name(p, name, &b)) {
|
|
@@ -1233,11 +1380,12 @@ typedef struct qpol_bool {} qpol_bool_t;
|
|
fail:
|
|
return b;
|
|
};
|
|
- ~qpol_bool_t() {
|
|
+ ~qpol_bool() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- int get_value(qpol_policy_t *p) {
|
|
+ %rename(get_value) wrap_get_value;
|
|
+ int wrap_get_value(qpol_policy_t *p) {
|
|
uint32_t v;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_bool_get_value(p, self, &v)) {
|
|
@@ -1247,7 +1395,8 @@ typedef struct qpol_bool {} qpol_bool_t;
|
|
fail:
|
|
return (int) v;
|
|
};
|
|
- int get_state(qpol_policy_t *p) {
|
|
+ %rename(get_state) wrap_get_state;
|
|
+ int wrap_get_state(qpol_policy_t *p) {
|
|
int s;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_bool_get_state(p, self, &s)) {
|
|
@@ -1257,7 +1406,8 @@ typedef struct qpol_bool {} qpol_bool_t;
|
|
fail:
|
|
return s;
|
|
};
|
|
- void set_state(qpol_policy_t *p, int state) {
|
|
+ %rename(set_state) wrap_set_state;
|
|
+ void wrap_set_state(qpol_policy_t *p, int state) {
|
|
BEGIN_EXCEPTION
|
|
if (qpol_bool_set_state(p, self, state)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Error setting boolean state");
|
|
@@ -1266,7 +1416,8 @@ typedef struct qpol_bool {} qpol_bool_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_state_no_eval(qpol_policy_t *p, int state) {
|
|
+ %rename(set_state_no_eval) wrap_set_state_no_eval;
|
|
+ void wrap_set_state_no_eval(qpol_policy_t *p, int state) {
|
|
BEGIN_EXCEPTION
|
|
if (qpol_bool_set_state_no_eval(p, self, state)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Error setting boolean state");
|
|
@@ -1275,7 +1426,8 @@ typedef struct qpol_bool {} qpol_bool_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const char *get_name(qpol_policy_t *p) {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name(qpol_policy_t *p) {
|
|
const char *name;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_bool_get_name(p, self, &name)) {
|
|
@@ -1295,18 +1447,18 @@ typedef struct qpol_bool {} qpol_bool_t;
|
|
/* qpol context */
|
|
typedef struct qpol_context {} qpol_context_t;
|
|
%extend qpol_context_t {
|
|
- qpol_context_t() {
|
|
+ qpol_context() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_context_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_context_t() {
|
|
+ ~qpol_context() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- const qpol_user_t *get_user(qpol_policy_t *p) {
|
|
+ const qpol_user_t *wrap_get_user(qpol_policy_t *p) {
|
|
const qpol_user_t *u;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_context_get_user(p, self, &u)) {
|
|
@@ -1316,7 +1468,7 @@ typedef struct qpol_context {} qpol_context_t;
|
|
fail:
|
|
return u;
|
|
};
|
|
- const qpol_role_t *get_role(qpol_policy_t *p) {
|
|
+ const qpol_role_t *wrap_get_role(qpol_policy_t *p) {
|
|
const qpol_role_t *r;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_context_get_role(p, self, &r)) {
|
|
@@ -1326,7 +1478,7 @@ typedef struct qpol_context {} qpol_context_t;
|
|
fail:
|
|
return r;
|
|
};
|
|
- const qpol_type_t *get_type(qpol_policy_t *p) {
|
|
+ const qpol_type_t *wrap_get_type(qpol_policy_t *p) {
|
|
const qpol_type_t *t;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_context_get_type(p, self, &t)) {
|
|
@@ -1336,7 +1488,7 @@ typedef struct qpol_context {} qpol_context_t;
|
|
fail:
|
|
return t;
|
|
};
|
|
- const qpol_mls_range_t *get_range(qpol_policy_t *p) {
|
|
+ const qpol_mls_range_t *wrap_get_range(qpol_policy_t *p) {
|
|
const qpol_mls_range_t *r;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_context_get_range(p, self, &r)) {
|
|
@@ -1356,7 +1508,7 @@ typedef struct qpol_context {} qpol_context_t;
|
|
/* qpol class */
|
|
typedef struct qpol_class {} qpol_class_t;
|
|
%extend qpol_class_t {
|
|
- qpol_class_t(qpol_policy_t *p, const char *name) {
|
|
+ qpol_class(qpol_policy_t *p, const char *name) {
|
|
const qpol_class_t *c;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_policy_get_class_by_name(p, name, &c)) {
|
|
@@ -1366,11 +1518,12 @@ typedef struct qpol_class {} qpol_class_t;
|
|
fail:
|
|
return (qpol_class_t*)c;
|
|
};
|
|
- ~qpol_class_t() {
|
|
+ ~qpol_class() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- int get_value(qpol_policy_t *p) {
|
|
+ %rename(get_value) wrap_get_value;
|
|
+ int wrap_get_value(qpol_policy_t *p) {
|
|
uint32_t v;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_class_get_value(p, self, &v)) {
|
|
@@ -1380,7 +1533,8 @@ typedef struct qpol_class {} qpol_class_t;
|
|
fail:
|
|
return (int) v;
|
|
};
|
|
- const qpol_common_t *get_common(qpol_policy_t *p) {
|
|
+ %rename(get_common) wrap_get_common;
|
|
+ const qpol_common_t *wrap_get_common(qpol_policy_t *p) {
|
|
const qpol_common_t *c;
|
|
BEGIN_EXCEPTION
|
|
if(qpol_class_get_common(p, self, &c)) {
|
|
@@ -1391,7 +1545,8 @@ typedef struct qpol_class {} qpol_class_t;
|
|
return c;
|
|
};
|
|
%newobject get_perm_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_perm_iter(qpol_policy_t *p) {
|
|
+ %rename(get_perm_iter) wrap_get_perm_iter;
|
|
+ qpol_iterator_t *wrap_get_perm_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if(qpol_class_get_perm_iter(p, self, &iter)) {
|
|
@@ -1402,7 +1557,8 @@ typedef struct qpol_class {} qpol_class_t;
|
|
return iter;
|
|
};
|
|
%newobject get_constraint_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_constraint_iter(qpol_policy_t *p) {
|
|
+ %rename(get_constraint_iter) wrap_get_constraint_iter;
|
|
+ qpol_iterator_t *wrap_get_constraint_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if(qpol_class_get_constraint_iter(p, self, &iter)) {
|
|
@@ -1413,7 +1569,8 @@ typedef struct qpol_class {} qpol_class_t;
|
|
return iter;
|
|
};
|
|
%newobject get_validatetrans_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_validatetrans_iter(qpol_policy_t *p) {
|
|
+ %rename(get_validatetrans_iter) wrap_get_validatetrans_iter;
|
|
+ qpol_iterator_t *wrap_get_validatetrans_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if(qpol_class_get_validatetrans_iter(p, self, &iter)) {
|
|
@@ -1423,7 +1580,8 @@ typedef struct qpol_class {} qpol_class_t;
|
|
fail:
|
|
return iter;
|
|
};
|
|
- const char *get_name(qpol_policy_t *p) {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name(qpol_policy_t *p) {
|
|
const char *name;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_class_get_name(p, self, &name)) {
|
|
@@ -1443,7 +1601,7 @@ typedef struct qpol_class {} qpol_class_t;
|
|
/* qpol common */
|
|
typedef struct qpol_common {} qpol_common_t;
|
|
%extend qpol_common_t {
|
|
- qpol_common_t(qpol_policy_t *p, const char *name) {
|
|
+ qpol_common(qpol_policy_t *p, const char *name) {
|
|
const qpol_common_t *c;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_policy_get_common_by_name(p, name, &c)) {
|
|
@@ -1453,11 +1611,12 @@ typedef struct qpol_common {} qpol_common_t;
|
|
fail:
|
|
return (qpol_common_t*)c;
|
|
};
|
|
- ~qpol_common_t() {
|
|
+ ~qpol_common() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- int get_value(qpol_policy_t *p) {
|
|
+ %rename(get_value) wrap_get_value;
|
|
+ int wrap_get_value(qpol_policy_t *p) {
|
|
uint32_t v;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_common_get_value(p, self, &v)) {
|
|
@@ -1468,7 +1627,8 @@ typedef struct qpol_common {} qpol_common_t;
|
|
return (int) v;
|
|
};
|
|
%newobject get_perm_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_perm_iter(qpol_policy_t *p) {
|
|
+ %rename(get_perm_iter) wrap_get_perm_iter;
|
|
+ qpol_iterator_t *wrap_get_perm_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if(qpol_common_get_perm_iter(p, self, &iter)) {
|
|
@@ -1478,7 +1638,8 @@ typedef struct qpol_common {} qpol_common_t;
|
|
fail:
|
|
return iter;
|
|
};
|
|
- const char *get_name(qpol_policy_t *p) {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name(qpol_policy_t *p) {
|
|
const char *name;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_common_get_name(p, self, &name)) {
|
|
@@ -1516,7 +1677,7 @@ typedef struct qpol_common {} qpol_common_t;
|
|
#endif
|
|
typedef struct qpol_fs_use {} qpol_fs_use_t;
|
|
%extend qpol_fs_use_t {
|
|
- qpol_fs_use_t(qpol_policy_t *p, const char *name) {
|
|
+ qpol_fs_use(qpol_policy_t *p, const char *name) {
|
|
const qpol_fs_use_t *f;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_policy_get_fs_use_by_name(p, name, &f)) {
|
|
@@ -1526,11 +1687,12 @@ typedef struct qpol_fs_use {} qpol_fs_use_t;
|
|
fail:
|
|
return (qpol_fs_use_t*)f;
|
|
};
|
|
- ~qpol_fs_use_t() {
|
|
+ ~qpol_fs_use() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- const char *get_name(qpol_policy_t *p) {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name(qpol_policy_t *p) {
|
|
const char *name;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_fs_use_get_name(p, self, &name)) {
|
|
@@ -1540,7 +1702,8 @@ typedef struct qpol_fs_use {} qpol_fs_use_t;
|
|
fail:
|
|
return name;
|
|
};
|
|
- int get_behavior(qpol_policy_t *p) {
|
|
+ %rename(get_behavior) wrap_get_behavior;
|
|
+ int wrap_get_behavior(qpol_policy_t *p) {
|
|
uint32_t behav;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_fs_use_get_behavior(p, self, &behav)) {
|
|
@@ -1550,7 +1713,8 @@ typedef struct qpol_fs_use {} qpol_fs_use_t;
|
|
fail:
|
|
return (int) behav;
|
|
};
|
|
- const qpol_context_t *get_context(qpol_policy_t *p) {
|
|
+ %rename(get_context) wrap_get_context;
|
|
+ const qpol_context_t *wrap_get_context(qpol_policy_t *p) {
|
|
uint32_t behav;
|
|
const qpol_context_t *ctx = NULL;
|
|
BEGIN_EXCEPTION
|
|
@@ -1594,7 +1758,7 @@ typedef struct qpol_fs_use {} qpol_fs_use_t;
|
|
#endif
|
|
typedef struct qpol_genfscon {} qpol_genfscon_t;
|
|
%extend qpol_genfscon_t {
|
|
- qpol_genfscon_t(qpol_policy_t *p, const char *name, const char *path) {
|
|
+ qpol_genfscon(qpol_policy_t *p, const char *name, const char *path) {
|
|
qpol_genfscon_t *g;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_policy_get_genfscon_by_name(p, name, path, &g)) {
|
|
@@ -1604,10 +1768,11 @@ typedef struct qpol_genfscon {} qpol_genfscon_t;
|
|
fail:
|
|
return g;
|
|
};
|
|
- ~qpol_genfscon_t() {
|
|
+ ~qpol_genfscon() {
|
|
free(self);
|
|
};
|
|
- const char *get_name(qpol_policy_t *p) {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name(qpol_policy_t *p) {
|
|
const char *name;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_genfscon_get_name(p, self, &name)) {
|
|
@@ -1617,7 +1782,8 @@ typedef struct qpol_genfscon {} qpol_genfscon_t;
|
|
fail:
|
|
return name;
|
|
};
|
|
- const char *get_path(qpol_policy_t *p) {
|
|
+ %rename(get_path) wrap_get_path;
|
|
+ const char *wrap_get_path(qpol_policy_t *p) {
|
|
const char *path;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_genfscon_get_path(p, self, &path)) {
|
|
@@ -1627,7 +1793,8 @@ typedef struct qpol_genfscon {} qpol_genfscon_t;
|
|
fail:
|
|
return path;
|
|
};
|
|
- int get_class(qpol_policy_t *p) {
|
|
+ %rename(get_class) wrap_get_class;
|
|
+ int wrap_get_class(qpol_policy_t *p) {
|
|
uint32_t cls;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_genfscon_get_class(p, self, &cls)) {
|
|
@@ -1637,7 +1804,8 @@ typedef struct qpol_genfscon {} qpol_genfscon_t;
|
|
fail:
|
|
return (int) cls;
|
|
};
|
|
- const qpol_context_t *get_context(qpol_policy_t *p) {
|
|
+ %rename(get_context) wrap_get_context;
|
|
+ const qpol_context_t *wrap_get_context(qpol_policy_t *p) {
|
|
const qpol_context_t *ctx;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_genfscon_get_context(p, self, &ctx)) {
|
|
@@ -1657,7 +1825,7 @@ typedef struct qpol_genfscon {} qpol_genfscon_t;
|
|
/* qpol isid */
|
|
typedef struct qpol_isid {} qpol_isid_t;
|
|
%extend qpol_isid_t {
|
|
- qpol_isid_t(qpol_policy_t *p, const char *name) {
|
|
+ qpol_isid(qpol_policy_t *p, const char *name) {
|
|
const qpol_isid_t *i;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_policy_get_isid_by_name(p, name, &i)) {
|
|
@@ -1667,11 +1835,12 @@ typedef struct qpol_isid {} qpol_isid_t;
|
|
fail:
|
|
return (qpol_isid_t*)i;
|
|
};
|
|
- ~qpol_isid_t() {
|
|
+ ~qpol_isid() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- const char *get_name(qpol_policy_t *p) {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name(qpol_policy_t *p) {
|
|
const char *name;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_isid_get_name(p, self, &name)) {
|
|
@@ -1681,7 +1850,8 @@ typedef struct qpol_isid {} qpol_isid_t;
|
|
fail:
|
|
return name;
|
|
};
|
|
- const qpol_context_t *get_context(qpol_policy_t *p) {
|
|
+ %rename(get_context) wrap_get_context;
|
|
+ const qpol_context_t *wrap_get_context(qpol_policy_t *p) {
|
|
const qpol_context_t *ctx;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_isid_get_context(p, self, &ctx)) {
|
|
@@ -1701,7 +1871,7 @@ typedef struct qpol_isid {} qpol_isid_t;
|
|
/* qpol netifcon */
|
|
typedef struct qpol_netifcon {} qpol_netifcon_t;
|
|
%extend qpol_netifcon_t {
|
|
- qpol_netifcon_t(qpol_policy_t *p, const char *name) {
|
|
+ qpol_netifcon(qpol_policy_t *p, const char *name) {
|
|
const qpol_netifcon_t *n;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_policy_get_netifcon_by_name(p, name, &n)) {
|
|
@@ -1711,11 +1881,12 @@ typedef struct qpol_netifcon {} qpol_netifcon_t;
|
|
fail:
|
|
return (qpol_netifcon_t*)n;
|
|
};
|
|
- ~qpol_netifcon_t() {
|
|
+ ~qpol_netifcon() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- const char *get_name(qpol_policy_t *p) {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name(qpol_policy_t *p) {
|
|
const char *name;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_netifcon_get_name(p, self, &name)) {
|
|
@@ -1725,7 +1896,8 @@ typedef struct qpol_netifcon {} qpol_netifcon_t;
|
|
fail:
|
|
return name;
|
|
};
|
|
- const qpol_context_t *get_msg_con(qpol_policy_t *p) {
|
|
+ %rename(get_msg_con) wrap_get_msg_con;
|
|
+ const qpol_context_t *wrap_get_msg_con(qpol_policy_t *p) {
|
|
const qpol_context_t *ctx;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_netifcon_get_msg_con(p, self, &ctx)) {
|
|
@@ -1735,7 +1907,8 @@ typedef struct qpol_netifcon {} qpol_netifcon_t;
|
|
fail:
|
|
return ctx;
|
|
};
|
|
- const qpol_context_t *get_if_con(qpol_policy_t *p) {
|
|
+ %rename(get_if_con) wrap_get_if_con;
|
|
+ const qpol_context_t *wrap_get_if_con(qpol_policy_t *p) {
|
|
const qpol_context_t *ctx;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_netifcon_get_if_con(p, self, &ctx)) {
|
|
@@ -1757,7 +1930,7 @@ typedef struct qpol_netifcon {} qpol_netifcon_t;
|
|
#define QPOL_IPV6 1
|
|
typedef struct qpol_nodecon {} qpol_nodecon_t;
|
|
%extend qpol_nodecon_t {
|
|
- qpol_nodecon_t(qpol_policy_t *p, int addr[4], int mask[4], int protocol) {
|
|
+ qpol_nodecon(qpol_policy_t *p, int addr[4], int mask[4], int protocol) {
|
|
uint32_t a[4], m[4];
|
|
qpol_nodecon_t *n;
|
|
BEGIN_EXCEPTION
|
|
@@ -1772,10 +1945,11 @@ typedef struct qpol_nodecon {} qpol_nodecon_t;
|
|
fail:
|
|
return n;
|
|
}
|
|
- ~qpol_nodecon_t() {
|
|
+ ~qpol_nodecon() {
|
|
free(self);
|
|
};
|
|
- uint32_t *get_addr(qpol_policy_t *p) {
|
|
+ %rename(get_addr) wrap_get_addr;
|
|
+ uint32_t *wrap_get_addr(qpol_policy_t *p) {
|
|
uint32_t *a;
|
|
BEGIN_EXCEPTION
|
|
unsigned char proto; /* currently dropped; stores the protocol - call get_protocol() */
|
|
@@ -1786,7 +1960,8 @@ typedef struct qpol_nodecon {} qpol_nodecon_t;
|
|
fail:
|
|
return a;
|
|
};
|
|
- uint32_t *get_mask(qpol_policy_t *p) {
|
|
+ %rename(get_mask) wrap_get_mask;
|
|
+ uint32_t *wrap_get_mask(qpol_policy_t *p) {
|
|
uint32_t *m;
|
|
BEGIN_EXCEPTION
|
|
unsigned char proto; /* currently dropped; stores the protocol - call get_protocol() */
|
|
@@ -1797,7 +1972,8 @@ typedef struct qpol_nodecon {} qpol_nodecon_t;
|
|
fail:
|
|
return m;
|
|
};
|
|
- int get_protocol(qpol_policy_t *p) {
|
|
+ %rename(get_protocol) wrap_get_protocol;
|
|
+ int wrap_get_protocol(qpol_policy_t *p) {
|
|
unsigned char proto;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_nodecon_get_protocol(p, self, &proto)) {
|
|
@@ -1807,7 +1983,8 @@ typedef struct qpol_nodecon {} qpol_nodecon_t;
|
|
fail:
|
|
return proto;
|
|
};
|
|
- const qpol_context_t *get_context(qpol_policy_t *p) {
|
|
+ %rename(get_context) wrap_get_context;
|
|
+ const qpol_context_t *wrap_get_context(qpol_policy_t *p) {
|
|
const qpol_context_t *ctx;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_nodecon_get_context(p, self, &ctx)) {
|
|
@@ -1830,7 +2007,7 @@ typedef struct qpol_nodecon {} qpol_nodecon_t;
|
|
#define IPPROTO_UDP 17
|
|
typedef struct qpol_portcon {} qpol_portcon_t;
|
|
%extend qpol_portcon_t {
|
|
- qpol_portcon_t(qpol_policy_t *p, uint16_t low, uint16_t high, uint8_t protocol) {
|
|
+ qpol_portcon(qpol_policy_t *p, uint16_t low, uint16_t high, uint8_t protocol) {
|
|
const qpol_portcon_t *qp;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_policy_get_portcon_by_port(p, low, high, protocol, &qp)) {
|
|
@@ -1840,11 +2017,12 @@ typedef struct qpol_portcon {} qpol_portcon_t;
|
|
fail:
|
|
return (qpol_portcon_t*)qp;
|
|
};
|
|
- ~qpol_portcon_t() {
|
|
+ ~qpol_portcon() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- uint16_t get_low_port(qpol_policy_t *p) {
|
|
+ %rename(get_low_port) wrap_get_low_port;
|
|
+ uint16_t wrap_get_low_port(qpol_policy_t *p) {
|
|
uint16_t port = 0;
|
|
BEGIN_EXCEPTION
|
|
if(qpol_portcon_get_low_port(p, self, &port)) {
|
|
@@ -1854,7 +2032,8 @@ typedef struct qpol_portcon {} qpol_portcon_t;
|
|
fail:
|
|
return port;
|
|
};
|
|
- uint16_t get_high_port(qpol_policy_t *p) {
|
|
+ %rename(get_high_port) wrap_get_high_port;
|
|
+ uint16_t wrap_get_high_port(qpol_policy_t *p) {
|
|
uint16_t port = 0;
|
|
BEGIN_EXCEPTION
|
|
if(qpol_portcon_get_high_port(p, self, &port)) {
|
|
@@ -1864,7 +2043,8 @@ typedef struct qpol_portcon {} qpol_portcon_t;
|
|
fail:
|
|
return port;
|
|
};
|
|
- uint8_t get_protocol(qpol_policy_t *p) {
|
|
+ %rename(get_protocol) wrap_get_protocol;
|
|
+ uint8_t wrap_get_protocol(qpol_policy_t *p) {
|
|
uint8_t proto = 0;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_portcon_get_protocol(p, self, &proto)) {
|
|
@@ -1874,7 +2054,8 @@ typedef struct qpol_portcon {} qpol_portcon_t;
|
|
fail:
|
|
return proto;
|
|
};
|
|
- const qpol_context_t *get_context(qpol_policy_t *p) {
|
|
+ %rename(get_context) wrap_get_context;
|
|
+ const qpol_context_t *wrap_get_context(qpol_policy_t *p) {
|
|
const qpol_context_t *ctx;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_portcon_get_context(p, self, &ctx)) {
|
|
@@ -1894,17 +2075,18 @@ typedef struct qpol_portcon {} qpol_portcon_t;
|
|
/* qpol constraint */
|
|
typedef struct qpol_constraint {} qpol_constraint_t;
|
|
%extend qpol_constraint_t {
|
|
- qpol_constraint_t() {
|
|
+ qpol_constraint() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_constraint_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_constraint_t() {
|
|
+ ~qpol_constraint() {
|
|
free(self);
|
|
};
|
|
- const qpol_class_t *get_class(qpol_policy_t *p) {
|
|
+ %rename(get_class) wrap_get_class;
|
|
+ const qpol_class_t *wrap_get_class(qpol_policy_t *p) {
|
|
const qpol_class_t *cls;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_constraint_get_class(p, self, &cls)) {
|
|
@@ -1915,7 +2097,8 @@ typedef struct qpol_constraint {} qpol_constraint_t;
|
|
return cls;
|
|
};
|
|
%newobject get_perm_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_perm_iter(qpol_policy_t *p) {
|
|
+ %rename(get_perm_iter) wrap_get_perm_iter;
|
|
+ qpol_iterator_t *wrap_get_perm_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_constraint_get_perm_iter(p, self, &iter)) {
|
|
@@ -1926,7 +2109,8 @@ typedef struct qpol_constraint {} qpol_constraint_t;
|
|
return iter;
|
|
};
|
|
%newobject get_expr_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_expr_iter(qpol_policy_t *p) {
|
|
+ %rename(get_expr_iter) wrap_get_expr_iter;
|
|
+ qpol_iterator_t *wrap_get_expr_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_constraint_get_expr_iter(p, self, &iter)) {
|
|
@@ -1946,17 +2130,18 @@ typedef struct qpol_constraint {} qpol_constraint_t;
|
|
/* qpol validatetrans */
|
|
typedef struct qpol_validatetrans {} qpol_validatetrans_t;
|
|
%extend qpol_validatetrans_t {
|
|
- qpol_validatetrans_t() {
|
|
+ qpol_validatetrans() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_validatetrans_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_validatetrans_t() {
|
|
+ ~qpol_validatetrans() {
|
|
free(self);
|
|
};
|
|
- const qpol_class_t *get_class(qpol_policy_t *p) {
|
|
+ %rename(get_class) wrap_get_class;
|
|
+ const qpol_class_t *wrap_get_class(qpol_policy_t *p) {
|
|
const qpol_class_t *cls;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_validatetrans_get_class(p, self, &cls)) {
|
|
@@ -1967,7 +2152,8 @@ typedef struct qpol_validatetrans {} qpol_validatetrans_t;
|
|
return cls;
|
|
};
|
|
%newobject get_expr_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_expr_iter(qpol_policy_t *p) {
|
|
+ %rename(get_expr_iter) wrap_get_expr_iter;
|
|
+ qpol_iterator_t *wrap_get_expr_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_validatetrans_get_expr_iter(p, self, &iter)) {
|
|
@@ -2011,18 +2197,19 @@ typedef struct qpol_validatetrans {} qpol_validatetrans_t;
|
|
#define QPOL_CEXPR_OP_INCOMP 5
|
|
typedef struct qpol_constraint_expr_node {} qpol_constraint_expr_node_t;
|
|
%extend qpol_constraint_expr_node_t {
|
|
- qpol_constraint_expr_node_t() {
|
|
+ qpol_constraint_expr_node() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_constraint_expr_node_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_constraint_expr_node_t() {
|
|
+ ~qpol_constraint_expr_node() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- int get_expr_type(qpol_policy_t *p) {
|
|
+ %rename(get_expr_type) wrap_get_expr_type;
|
|
+ int wrap_get_expr_type(qpol_policy_t *p) {
|
|
uint32_t et;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_constraint_expr_node_get_expr_type(p, self, &et)) {
|
|
@@ -2032,7 +2219,8 @@ typedef struct qpol_constraint_expr_node {} qpol_constraint_expr_node_t;
|
|
fail:
|
|
return (int) et;
|
|
};
|
|
- int get_sym_type(qpol_policy_t *p) {
|
|
+ %rename(get_sym_type) wrap_get_sym_type;
|
|
+ int wrap_get_sym_type(qpol_policy_t *p) {
|
|
uint32_t st;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_constraint_expr_node_get_sym_type(p, self, &st)) {
|
|
@@ -2042,7 +2230,8 @@ typedef struct qpol_constraint_expr_node {} qpol_constraint_expr_node_t;
|
|
fail:
|
|
return (int) st;
|
|
};
|
|
- int get_op(qpol_policy_t *p) {
|
|
+ %rename(get_op) wrap_get_op;
|
|
+ int wrap_get_op(qpol_policy_t *p) {
|
|
uint32_t op;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_constraint_expr_node_get_op(p, self, &op)) {
|
|
@@ -2053,7 +2242,8 @@ typedef struct qpol_constraint_expr_node {} qpol_constraint_expr_node_t;
|
|
return (int) op;
|
|
};
|
|
%newobject get_names_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_names_iter(qpol_policy_t *p) {
|
|
+ %rename(get_names_iter) wrap_get_names_iter;
|
|
+ qpol_iterator_t *wrap_get_names_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_constraint_expr_node_get_names_iter(p, self, &iter)) {
|
|
@@ -2073,18 +2263,19 @@ typedef struct qpol_constraint_expr_node {} qpol_constraint_expr_node_t;
|
|
/* qpol role allow */
|
|
typedef struct qpol_role_allow {} qpol_role_allow_t;
|
|
%extend qpol_role_allow_t {
|
|
- qpol_role_allow_t() {
|
|
+ qpol_role_allow() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_role_allow_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_role_allow_t() {
|
|
+ ~qpol_role_allow() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- const qpol_role_t *get_source_role(qpol_policy_t *p) {
|
|
+ %rename(get_source_role) wrap_get_source_role;
|
|
+ const qpol_role_t *wrap_get_source_role(qpol_policy_t *p) {
|
|
const qpol_role_t *r;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_role_allow_get_source_role(p, self, &r)) {
|
|
@@ -2094,7 +2285,8 @@ typedef struct qpol_role_allow {} qpol_role_allow_t;
|
|
fail:
|
|
return r;
|
|
};
|
|
- const qpol_role_t *get_target_role(qpol_policy_t *p) {
|
|
+ %rename(get_target_role) wrap_get_target_role;
|
|
+ const qpol_role_t *wrap_get_target_role(qpol_policy_t *p) {
|
|
const qpol_role_t *r;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_role_allow_get_target_role(p, self, &r)) {
|
|
@@ -2114,18 +2306,19 @@ typedef struct qpol_role_allow {} qpol_role_allow_t;
|
|
/* qpol role trans */
|
|
typedef struct qpol_role_trans {} qpol_role_trans_t;
|
|
%extend qpol_role_trans_t {
|
|
- qpol_role_trans_t() {
|
|
+ qpol_role_trans() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_role_trans_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_role_trans_t() {
|
|
+ ~qpol_role_trans() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- const qpol_role_t *get_source_role(qpol_policy_t *p) {
|
|
+ %rename(get_source_role) wrap_get_source_role;
|
|
+ const qpol_role_t *wrap_get_source_role(qpol_policy_t *p) {
|
|
const qpol_role_t *r;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_role_trans_get_source_role(p, self, &r)) {
|
|
@@ -2135,7 +2328,8 @@ typedef struct qpol_role_trans {} qpol_role_trans_t;
|
|
fail:
|
|
return r;
|
|
};
|
|
- const qpol_type_t *get_target_type(qpol_policy_t *p) {
|
|
+ %rename(get_target_type) wrap_get_target_type;
|
|
+ const qpol_type_t *wrap_get_target_type(qpol_policy_t *p) {
|
|
const qpol_type_t *t;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_role_trans_get_target_type(p, self, &t)) {
|
|
@@ -2145,7 +2339,19 @@ typedef struct qpol_role_trans {} qpol_role_trans_t;
|
|
fail:
|
|
return t;
|
|
};
|
|
- const qpol_role_t *get_default_role(qpol_policy_t *p) {
|
|
+ %rename(get_object_class) wrap_get_object_class;
|
|
+ const qpol_class_t *wrap_get_object_class(qpol_policy_t *p) {
|
|
+ const qpol_class_t *c;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_role_trans_get_object_class(p, self, &c)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get class for role_transition rule");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return c;
|
|
+ };
|
|
+ %rename(get_default_role) wrap_get_default_role;
|
|
+ const qpol_role_t *wrap_get_default_role(qpol_policy_t *p) {
|
|
const qpol_role_t *r;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_role_trans_get_default_role(p, self, &r)) {
|
|
@@ -2165,18 +2371,19 @@ typedef struct qpol_role_trans {} qpol_role_trans_t;
|
|
/* qpol range trans */
|
|
typedef struct qpol_range_trans {} qpol_range_trans_t;
|
|
%extend qpol_range_trans_t {
|
|
- qpol_range_trans_t() {
|
|
+ qpol_range_trans() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_range_trans_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_range_trans_t() {
|
|
+ ~qpol_range_trans() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- const qpol_type_t *get_source_type (qpol_policy_t *p) {
|
|
+ %rename(get_source_type) wrap_get_source_type;
|
|
+ const qpol_type_t *wrap_get_source_type (qpol_policy_t *p) {
|
|
const qpol_type_t *t;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_range_trans_get_source_type(p, self, &t)) {
|
|
@@ -2186,7 +2393,8 @@ typedef struct qpol_range_trans {} qpol_range_trans_t;
|
|
fail:
|
|
return t;
|
|
};
|
|
- const qpol_type_t *get_target_type (qpol_policy_t *p) {
|
|
+ %rename(get_target_type) wrap_get_target_type;
|
|
+ const qpol_type_t *wrap_get_target_type (qpol_policy_t *p) {
|
|
const qpol_type_t *t;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_range_trans_get_target_type(p, self, &t)) {
|
|
@@ -2195,7 +2403,8 @@ typedef struct qpol_range_trans {} qpol_range_trans_t;
|
|
fail:
|
|
return t;
|
|
};
|
|
- const qpol_class_t *get_target_class(qpol_policy_t *p) {
|
|
+ %rename(get_target_class) wrap_get_target_class;
|
|
+ const qpol_class_t *wrap_get_target_class(qpol_policy_t *p) {
|
|
const qpol_class_t *cls;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_range_trans_get_target_class(p, self, &cls)) {
|
|
@@ -2204,7 +2413,8 @@ typedef struct qpol_range_trans {} qpol_range_trans_t;
|
|
fail:
|
|
return cls;
|
|
};
|
|
- const qpol_mls_range_t *get_range(qpol_policy_t *p) {
|
|
+ %rename(get_range) wrap_get_range;
|
|
+ const qpol_mls_range_t *wrap_get_range(qpol_policy_t *p) {
|
|
const qpol_mls_range_t *r;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_range_trans_get_range(p, self, &r)) {
|
|
@@ -2228,18 +2438,19 @@ typedef struct qpol_range_trans {} qpol_range_trans_t;
|
|
#define QPOL_RULE_DONTAUDIT 4
|
|
typedef struct qpol_avrule {} qpol_avrule_t;
|
|
%extend qpol_avrule_t {
|
|
- qpol_avrule_t() {
|
|
+ qpol_avrule() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_avrule_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_avrule_t() {
|
|
+ ~qpol_avrule() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- int get_rule_type(qpol_policy_t *p) {
|
|
+ %rename(get_rule_type) wrap_get_rule_type;
|
|
+ int wrap_get_rule_type(qpol_policy_t *p) {
|
|
uint32_t rt;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_avrule_get_rule_type(p, self, &rt)) {
|
|
@@ -2249,7 +2460,8 @@ typedef struct qpol_avrule {} qpol_avrule_t;
|
|
fail:
|
|
return (int) rt;
|
|
};
|
|
- const qpol_type_t *get_source_type(qpol_policy_t *p) {
|
|
+ %rename(get_source_type) wrap_get_source_type;
|
|
+ const qpol_type_t *wrap_get_source_type(qpol_policy_t *p) {
|
|
const qpol_type_t *t;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_avrule_get_source_type(p, self, &t)) {
|
|
@@ -2259,7 +2471,8 @@ typedef struct qpol_avrule {} qpol_avrule_t;
|
|
fail:
|
|
return t;
|
|
};
|
|
- const qpol_type_t *get_target_type(qpol_policy_t *p) {
|
|
+ %rename(get_target_type) wrap_get_target_type;
|
|
+ const qpol_type_t *wrap_get_target_type(qpol_policy_t *p) {
|
|
const qpol_type_t *t;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_avrule_get_target_type(p, self, &t)) {
|
|
@@ -2269,7 +2482,8 @@ typedef struct qpol_avrule {} qpol_avrule_t;
|
|
fail:
|
|
return t;
|
|
};
|
|
- const qpol_class_t *get_object_class(qpol_policy_t *p) {
|
|
+ %rename(get_object_class) wrap_get_object_class;
|
|
+ const qpol_class_t *wrap_get_object_class(qpol_policy_t *p) {
|
|
const qpol_class_t *cls;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_avrule_get_object_class(p, self, &cls)) {
|
|
@@ -2280,7 +2494,8 @@ typedef struct qpol_avrule {} qpol_avrule_t;
|
|
return cls;
|
|
};
|
|
%newobject get_perm_iter(qpol_policy_t *p);
|
|
- qpol_iterator_t *get_perm_iter(qpol_policy_t *p) {
|
|
+ %rename(get_perm_iter) wrap_get_perm_iter;
|
|
+ qpol_iterator_t *wrap_get_perm_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_avrule_get_perm_iter(p, self, &iter)) {
|
|
@@ -2290,7 +2505,8 @@ typedef struct qpol_avrule {} qpol_avrule_t;
|
|
fail:
|
|
return iter;
|
|
};
|
|
- const qpol_cond_t *get_cond(qpol_policy_t *p) {
|
|
+ %rename(get_cond) wrap_get_cond;
|
|
+ const qpol_cond_t *wrap_get_cond(qpol_policy_t *p) {
|
|
const qpol_cond_t *c;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_avrule_get_cond(p, self, &c)) {
|
|
@@ -2300,7 +2516,8 @@ typedef struct qpol_avrule {} qpol_avrule_t;
|
|
fail:
|
|
return c;
|
|
};
|
|
- int get_is_enabled(qpol_policy_t *p) {
|
|
+ %rename(get_is_enabled) wrap_get_is_enabled;
|
|
+ int wrap_get_is_enabled(qpol_policy_t *p) {
|
|
uint32_t e;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_avrule_get_is_enabled(p, self, &e)) {
|
|
@@ -2310,7 +2527,8 @@ typedef struct qpol_avrule {} qpol_avrule_t;
|
|
fail:
|
|
return (int) e;
|
|
};
|
|
- int get_which_list(qpol_policy_t *p) {
|
|
+ %rename(get_which_list) wrap_get_which_list;
|
|
+ int wrap_get_which_list(qpol_policy_t *p) {
|
|
const qpol_cond_t *c;
|
|
uint32_t which = 0;
|
|
BEGIN_EXCEPTION
|
|
@@ -2325,7 +2543,8 @@ typedef struct qpol_avrule {} qpol_avrule_t;
|
|
return (int) which;
|
|
};
|
|
%newobject get_syn_avrule_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_syn_avrule_iter(qpol_policy_t *p) {
|
|
+ %rename(get_syn_avrule_iter) wrap_get_syn_avrule_iter;
|
|
+ qpol_iterator_t *wrap_get_syn_avrule_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_avrule_get_syn_avrule_iter(p, self, &iter)) {
|
|
@@ -2348,18 +2567,19 @@ typedef struct qpol_avrule {} qpol_avrule_t;
|
|
#define QPOL_RULE_TYPE_MEMBER 32
|
|
typedef struct qpol_terule {} qpol_terule_t;
|
|
%extend qpol_terule_t {
|
|
- qpol_terule_t() {
|
|
+ qpol_terule() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_terule_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_terule_t() {
|
|
+ ~qpol_terule() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- int get_rule_type(qpol_policy_t *p) {
|
|
+ %rename(get_rule_type) wrap_get_rule_type;
|
|
+ int wrap_get_rule_type(qpol_policy_t *p) {
|
|
uint32_t rt;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_terule_get_rule_type(p, self, &rt)) {
|
|
@@ -2369,7 +2589,8 @@ typedef struct qpol_terule {} qpol_terule_t;
|
|
fail:
|
|
return (int) rt;
|
|
};
|
|
- const qpol_type_t *get_source_type(qpol_policy_t *p) {
|
|
+ %rename(get_source_type) wrap_get_source_type;
|
|
+ const qpol_type_t *wrap_get_source_type(qpol_policy_t *p) {
|
|
const qpol_type_t *t;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_terule_get_source_type(p, self, &t)) {
|
|
@@ -2379,7 +2600,8 @@ typedef struct qpol_terule {} qpol_terule_t;
|
|
fail:
|
|
return t;
|
|
};
|
|
- const qpol_type_t *get_target_type(qpol_policy_t *p) {
|
|
+ %rename(get_target_type) wrap_get_target_type;
|
|
+ const qpol_type_t *wrap_get_target_type(qpol_policy_t *p) {
|
|
const qpol_type_t *t;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_terule_get_target_type(p, self, &t)) {
|
|
@@ -2389,7 +2611,8 @@ typedef struct qpol_terule {} qpol_terule_t;
|
|
fail:
|
|
return t;
|
|
};
|
|
- const qpol_class_t *get_object_class(qpol_policy_t *p) {
|
|
+ %rename(get_object_class) wrap_get_object_class;
|
|
+ const qpol_class_t *wrap_get_object_class(qpol_policy_t *p) {
|
|
const qpol_class_t *cls;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_terule_get_object_class(p, self, &cls)) {
|
|
@@ -2399,7 +2622,8 @@ typedef struct qpol_terule {} qpol_terule_t;
|
|
fail:
|
|
return cls;
|
|
};
|
|
- const qpol_type_t *get_default_type(qpol_policy_t *p) {
|
|
+ %rename(get_default_type) wrap_get_default_type;
|
|
+ const qpol_type_t *wrap_get_default_type(qpol_policy_t *p) {
|
|
const qpol_type_t *t;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_terule_get_default_type(p, self, &t)) {
|
|
@@ -2409,7 +2633,8 @@ typedef struct qpol_terule {} qpol_terule_t;
|
|
fail:
|
|
return t;
|
|
};
|
|
- const qpol_cond_t *get_cond(qpol_policy_t *p) {
|
|
+ %rename(get_cond) wrap_get_cond;
|
|
+ const qpol_cond_t *wrap_get_cond(qpol_policy_t *p) {
|
|
const qpol_cond_t *c;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_terule_get_cond(p, self, &c)) {
|
|
@@ -2419,7 +2644,8 @@ typedef struct qpol_terule {} qpol_terule_t;
|
|
fail:
|
|
return c;
|
|
};
|
|
- int get_is_enabled(qpol_policy_t *p) {
|
|
+ %rename(get_is_enabled) wrap_get_is_enabled;
|
|
+ int wrap_get_is_enabled(qpol_policy_t *p) {
|
|
uint32_t e;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_terule_get_is_enabled(p, self, &e)) {
|
|
@@ -2429,7 +2655,8 @@ typedef struct qpol_terule {} qpol_terule_t;
|
|
fail:
|
|
return (int) e;
|
|
};
|
|
- int get_which_list(qpol_policy_t *p) {
|
|
+ %rename(get_which_list) wrap_get_which_list;
|
|
+ int wrap_get_which_list(qpol_policy_t *p) {
|
|
const qpol_cond_t *c;
|
|
uint32_t which = 0;
|
|
BEGIN_EXCEPTION
|
|
@@ -2444,7 +2671,8 @@ typedef struct qpol_terule {} qpol_terule_t;
|
|
return (int) which;
|
|
};
|
|
%newobject get_syn_terule_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_syn_terule_iter(qpol_policy_t *p) {
|
|
+ %rename(get_syn_terule_iter) wrap_get_syn_terule_iter;
|
|
+ qpol_iterator_t *wrap_get_syn_terule_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_terule_get_syn_terule_iter(p, self, &iter)) {
|
|
@@ -2464,19 +2692,20 @@ typedef struct qpol_terule {} qpol_terule_t;
|
|
/* qpol conditional */
|
|
typedef struct qpol_cond {} qpol_cond_t;
|
|
%extend qpol_cond_t {
|
|
- qpol_cond_t() {
|
|
+ qpol_cond() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_cond_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_cond_t() {
|
|
+ ~qpol_cond() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
%newobject get_expr_node_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_expr_node_iter(qpol_policy_t *p) {
|
|
+ %rename(get_expr_node_iter) wrap_get_expr_node_iter;
|
|
+ qpol_iterator_t *wrap_get_expr_node_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_cond_get_expr_node_iter(p, self, &iter)) {
|
|
@@ -2487,7 +2716,8 @@ typedef struct qpol_cond {} qpol_cond_t;
|
|
return iter;
|
|
};
|
|
%newobject get_av_true_iter(qpol_policy_t*, int);
|
|
- qpol_iterator_t *get_av_true_iter(qpol_policy_t *p, int rule_types) {
|
|
+ %rename(get_av_true_iter) wrap_get_av_true_iter;
|
|
+ qpol_iterator_t *wrap_get_av_true_iter(qpol_policy_t *p, int rule_types) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_cond_get_av_true_iter(p, self, rule_types, &iter)) {
|
|
@@ -2498,7 +2728,8 @@ typedef struct qpol_cond {} qpol_cond_t;
|
|
return iter;
|
|
};
|
|
%newobject get_av_false_iter(qpol_policy_t*, int);
|
|
- qpol_iterator_t *get_av_false_iter(qpol_policy_t *p, int rule_types) {
|
|
+ %rename(get_av_false_iter) wrap_get_av_false_iter;
|
|
+ qpol_iterator_t *wrap_get_av_false_iter(qpol_policy_t *p, int rule_types) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_cond_get_av_false_iter(p, self, rule_types, &iter)) {
|
|
@@ -2509,7 +2740,8 @@ typedef struct qpol_cond {} qpol_cond_t;
|
|
return iter;
|
|
};
|
|
%newobject get_te_true_iter(qpol_policy_t*, int);
|
|
- qpol_iterator_t *get_te_true_iter(qpol_policy_t *p, int rule_types) {
|
|
+ %rename(get_te_true_iter) wrap_get_te_true_iter;
|
|
+ qpol_iterator_t *wrap_get_te_true_iter(qpol_policy_t *p, int rule_types) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_cond_get_te_true_iter(p, self, rule_types, &iter)) {
|
|
@@ -2520,7 +2752,8 @@ typedef struct qpol_cond {} qpol_cond_t;
|
|
return iter;
|
|
};
|
|
%newobject get_te_false_iter(qpol_policy_t*, int);
|
|
- qpol_iterator_t *get_te_false_iter(qpol_policy_t *p, int rule_types) {
|
|
+ %rename(get_te_false_iter) wrap_get_te_false_iter;
|
|
+ qpol_iterator_t *wrap_get_te_false_iter(qpol_policy_t *p, int rule_types) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_cond_get_te_false_iter(p, self, rule_types, &iter)) {
|
|
@@ -2530,7 +2763,8 @@ typedef struct qpol_cond {} qpol_cond_t;
|
|
fail:
|
|
return iter;
|
|
};
|
|
- int eval(qpol_policy_t *p) {
|
|
+ %rename(eval) wrap_eval;
|
|
+ int wrap_eval(qpol_policy_t *p) {
|
|
uint32_t e;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_cond_eval(p, self, &e)) {
|
|
@@ -2557,18 +2791,19 @@ typedef struct qpol_cond {} qpol_cond_t;
|
|
#define QPOL_COND_EXPR_NEQ 7 /* bool != bool */
|
|
typedef struct qpol_cond_expr_node {} qpol_cond_expr_node_t;
|
|
%extend qpol_cond_expr_node_t {
|
|
- qpol_cond_expr_node_t() {
|
|
+ qpol_cond_expr_node() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_cond_expr_node_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_cond_expr_node_t() {
|
|
+ ~qpol_cond_expr_node() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- int get_expr_type(qpol_policy_t *p) {
|
|
+ %rename(get_expr_type) wrap_get_expr_type;
|
|
+ int wrap_get_expr_type(qpol_policy_t *p) {
|
|
uint32_t et;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_cond_expr_node_get_expr_type(p, self, &et)) {
|
|
@@ -2578,7 +2813,8 @@ typedef struct qpol_cond_expr_node {} qpol_cond_expr_node_t;
|
|
fail:
|
|
return (int) et;
|
|
};
|
|
- qpol_bool_t *get_bool(qpol_policy_t *p) {
|
|
+ %rename(get_bool) wrap_get_bool;
|
|
+ qpol_bool_t *wrap_get_bool(qpol_policy_t *p) {
|
|
uint32_t et;
|
|
qpol_bool_t *b = NULL;
|
|
BEGIN_EXCEPTION
|
|
@@ -2602,19 +2838,20 @@ typedef struct qpol_cond_expr_node {} qpol_cond_expr_node_t;
|
|
/* qpol type set */
|
|
typedef struct qpol_type_set {} qpol_type_set_t;
|
|
%extend qpol_type_set_t {
|
|
- qpol_type_set_t() {
|
|
+ qpol_type_set() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_type_set_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_type_set_t() {
|
|
+ ~qpol_type_set() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
%newobject get_included_types_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_included_types_iter(qpol_policy_t *p) {
|
|
+ %rename(get_included_types_iter) wrap_get_included_types_iter;
|
|
+ qpol_iterator_t *wrap_get_included_types_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_type_set_get_included_types_iter(p, self, &iter)) {
|
|
@@ -2625,7 +2862,8 @@ typedef struct qpol_type_set {} qpol_type_set_t;
|
|
return iter;
|
|
};
|
|
%newobject get_subtracted_types_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_subtracted_types_iter(qpol_policy_t *p) {
|
|
+ %rename(get_subtracted_types_iter) wrap_get_subtracted_types_iter;
|
|
+ qpol_iterator_t *wrap_get_subtracted_types_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_type_set_get_subtracted_types_iter(p, self, &iter)) {
|
|
@@ -2635,7 +2873,8 @@ typedef struct qpol_type_set {} qpol_type_set_t;
|
|
fail:
|
|
return iter;
|
|
};
|
|
- int get_is_star(qpol_policy_t *p) {
|
|
+ %rename(get_is_star) wrap_get_is_star;
|
|
+ int wrap_get_is_star(qpol_policy_t *p) {
|
|
uint32_t s;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_type_set_get_is_star(p, self, &s)) {
|
|
@@ -2645,7 +2884,8 @@ typedef struct qpol_type_set {} qpol_type_set_t;
|
|
fail:
|
|
return (int) s;
|
|
};
|
|
- int get_is_comp(qpol_policy_t *p) {
|
|
+ %rename(get_is_comp) wrap_get_is_comp;
|
|
+ int wrap_get_is_comp(qpol_policy_t *p) {
|
|
uint32_t c;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_type_set_get_is_comp(p, self, &c)) {
|
|
@@ -2665,18 +2905,19 @@ typedef struct qpol_type_set {} qpol_type_set_t;
|
|
/* qpol syn av rule */
|
|
typedef struct qpol_syn_avrule {} qpol_syn_avrule_t;
|
|
%extend qpol_syn_avrule_t {
|
|
- qpol_syn_avrule_t() {
|
|
+ qpol_syn_avrule() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_syn_avrule_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_syn_avrule_t() {
|
|
+ ~qpol_syn_avrule() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- int get_rule_type(qpol_policy_t *p) {
|
|
+ %rename(get_rule_type) wrap_get_rule_type;
|
|
+ int wrap_get_rule_type(qpol_policy_t *p) {
|
|
uint32_t rt;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_syn_avrule_get_rule_type(p, self, &rt)) {
|
|
@@ -2686,7 +2927,8 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t;
|
|
fail:
|
|
return (int) rt;
|
|
};
|
|
- const qpol_type_set_t *get_source_type_set(qpol_policy_t *p) {
|
|
+ %rename(get_source_type_set) wrap_get_source_type_set;
|
|
+ const qpol_type_set_t *wrap_get_source_type_set(qpol_policy_t *p) {
|
|
const qpol_type_set_t *ts;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_syn_avrule_get_source_type_set(p, self, &ts)) {
|
|
@@ -2696,7 +2938,8 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t;
|
|
fail:
|
|
return ts;
|
|
};
|
|
- const qpol_type_set_t *get_target_type_set(qpol_policy_t *p) {
|
|
+ %rename(get_target_type_set) wrap_get_target_type_set;
|
|
+ const qpol_type_set_t *wrap_get_target_type_set(qpol_policy_t *p) {
|
|
const qpol_type_set_t *ts;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_syn_avrule_get_target_type_set(p, self, &ts)) {
|
|
@@ -2706,7 +2949,8 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t;
|
|
fail:
|
|
return ts;
|
|
};
|
|
- int get_is_target_self(qpol_policy_t *p) {
|
|
+ %rename(get_is_target_self) wrap_get_is_target_self;
|
|
+ int wrap_get_is_target_self(qpol_policy_t *p) {
|
|
uint32_t i;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_syn_avrule_get_is_target_self(p, self, &i)) {
|
|
@@ -2717,7 +2961,8 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t;
|
|
return (int) i;
|
|
};
|
|
%newobject get_class_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_class_iter(qpol_policy_t *p) {
|
|
+ %rename(get_class_iter) wrap_get_class_iter;
|
|
+ qpol_iterator_t *wrap_get_class_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_syn_avrule_get_class_iter(p, self, &iter)) {
|
|
@@ -2728,7 +2973,8 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t;
|
|
return iter;
|
|
};
|
|
%newobject get_perm_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_perm_iter(qpol_policy_t *p) {
|
|
+ %rename(get_perm_iter) wrap_get_perm_iter;
|
|
+ qpol_iterator_t *wrap_get_perm_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_syn_avrule_get_perm_iter(p, self, &iter)) {
|
|
@@ -2738,7 +2984,8 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t;
|
|
fail:
|
|
return iter;
|
|
};
|
|
- long get_lineno(qpol_policy_t *p) {
|
|
+ %rename(get_lineno) wrap_get_lineno;
|
|
+ long wrap_get_lineno(qpol_policy_t *p) {
|
|
unsigned long l;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_syn_avrule_get_lineno(p, self, &l)) {
|
|
@@ -2748,7 +2995,8 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t;
|
|
fail:
|
|
return (long)l;
|
|
};
|
|
- const qpol_cond_t *get_cond(qpol_policy_t *p) {
|
|
+ %rename(get_cond) wrap_get_cond;
|
|
+ const qpol_cond_t *wrap_get_cond(qpol_policy_t *p) {
|
|
const qpol_cond_t *c;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_syn_avrule_get_cond(p, self, &c)) {
|
|
@@ -2758,7 +3006,8 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t;
|
|
fail:
|
|
return c;
|
|
};
|
|
- int get_is_enabled(qpol_policy_t *p) {
|
|
+ %rename(get_is_enabled) wrap_get_is_enabled;
|
|
+ int wrap_get_is_enabled(qpol_policy_t *p) {
|
|
uint32_t e;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_syn_avrule_get_is_enabled(p, self, &e)) {
|
|
@@ -2778,18 +3027,19 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t;
|
|
/* qpol syn te rule */
|
|
typedef struct qpol_syn_terule {} qpol_syn_terule_t;
|
|
%extend qpol_syn_terule_t {
|
|
- qpol_syn_terule_t() {
|
|
+ qpol_syn_terule() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_syn_terule_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~qpol_syn_terule_t() {
|
|
+ ~qpol_syn_terule() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- int get_rule_type(qpol_policy_t *p) {
|
|
+ %rename(get_rule_type) wrap_get_rule_type;
|
|
+ int wrap_get_rule_type(qpol_policy_t *p) {
|
|
uint32_t rt;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_syn_terule_get_rule_type(p, self, &rt)) {
|
|
@@ -2799,7 +3049,8 @@ typedef struct qpol_syn_terule {} qpol_syn_terule_t;
|
|
fail:
|
|
return rt;
|
|
};
|
|
- const qpol_type_set_t *get_source_type_set(qpol_policy_t *p) {
|
|
+ %rename(get_source_type_set) wrap_get_source_type_set;
|
|
+ const qpol_type_set_t *wrap_get_source_type_set(qpol_policy_t *p) {
|
|
const qpol_type_set_t *ts;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_syn_terule_get_source_type_set(p, self, &ts)) {
|
|
@@ -2809,7 +3060,8 @@ typedef struct qpol_syn_terule {} qpol_syn_terule_t;
|
|
fail:
|
|
return ts;
|
|
};
|
|
- const qpol_type_set_t *get_target_type_set(qpol_policy_t *p) {
|
|
+ %rename(get_target_type_set) wrap_get_target_type_set;
|
|
+ const qpol_type_set_t *wrap_get_target_type_set(qpol_policy_t *p) {
|
|
const qpol_type_set_t *ts;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_syn_terule_get_target_type_set(p, self, &ts)) {
|
|
@@ -2820,7 +3072,8 @@ typedef struct qpol_syn_terule {} qpol_syn_terule_t;
|
|
return ts;
|
|
};
|
|
%newobject get_class_iter(qpol_policy_t*);
|
|
- qpol_iterator_t *get_class_iter(qpol_policy_t *p) {
|
|
+ %rename(get_class_iter) wrap_get_class_iter;
|
|
+ qpol_iterator_t *wrap_get_class_iter(qpol_policy_t *p) {
|
|
qpol_iterator_t *iter;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_syn_terule_get_class_iter(p, self, &iter)) {
|
|
@@ -2830,7 +3083,8 @@ typedef struct qpol_syn_terule {} qpol_syn_terule_t;
|
|
fail:
|
|
return iter;
|
|
};
|
|
- const qpol_type_t *get_default_type(qpol_policy_t *p) {
|
|
+ %rename(get_default_type) wrap_get_default_type;
|
|
+ const qpol_type_t *wrap_get_default_type(qpol_policy_t *p) {
|
|
const qpol_type_t *t;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_syn_terule_get_default_type(p, self, &t)) {
|
|
@@ -2840,7 +3094,8 @@ typedef struct qpol_syn_terule {} qpol_syn_terule_t;
|
|
fail:
|
|
return t;
|
|
};
|
|
- long get_lineno(qpol_policy_t *p) {
|
|
+ %rename(get_lineno) wrap_get_lineno;
|
|
+ long wrap_get_lineno(qpol_policy_t *p) {
|
|
unsigned long l;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_syn_terule_get_lineno(p, self, &l)) {
|
|
@@ -2850,7 +3105,8 @@ typedef struct qpol_syn_terule {} qpol_syn_terule_t;
|
|
fail:
|
|
return (long)l;
|
|
};
|
|
- const qpol_cond_t *get_cond(qpol_policy_t *p) {
|
|
+ %rename(get_cond) wrap_get_cond;
|
|
+ const qpol_cond_t *wrap_get_cond(qpol_policy_t *p) {
|
|
const qpol_cond_t *c;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_syn_terule_get_cond(p, self, &c)) {
|
|
@@ -2860,7 +3116,8 @@ typedef struct qpol_syn_terule {} qpol_syn_terule_t;
|
|
fail:
|
|
return c;
|
|
};
|
|
- int get_is_enabled(qpol_policy_t *p) {
|
|
+ %rename(get_is_enabled) wrap_get_is_enabled;
|
|
+ int wrap_get_is_enabled(qpol_policy_t *p) {
|
|
uint32_t e;
|
|
BEGIN_EXCEPTION
|
|
if (qpol_syn_terule_get_is_enabled(p, self, &e)) {
|
|
@@ -2876,4 +3133,317 @@ typedef struct qpol_syn_terule {} qpol_syn_terule_t;
|
|
return (qpol_syn_terule_t*)x;
|
|
};
|
|
%}
|
|
+
|
|
+/* qpol filename trans */
|
|
+typedef struct qpol_filename_trans {} qpol_filename_trans_t;
|
|
+%extend qpol_filename_trans_t {
|
|
+ qpol_filename_trans() {
|
|
+ BEGIN_EXCEPTION
|
|
+ SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_filename_trans_t objects");
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return NULL;
|
|
+ };
|
|
+ ~qpol_filename_trans() {
|
|
+ /* no op */
|
|
+ return;
|
|
+ };
|
|
+ %rename(get_source_type) wrap_get_source_type;
|
|
+ const qpol_type_t *wrap_get_source_type (qpol_policy_t *p) {
|
|
+ const qpol_type_t *t;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_filename_trans_get_source_type(p, self, &t)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get source for filename transition rule");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return t;
|
|
+ };
|
|
+ %rename(get_target_type) wrap_get_target_type;
|
|
+ const qpol_type_t *wrap_get_target_type (qpol_policy_t *p) {
|
|
+ const qpol_type_t *t;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_filename_trans_get_target_type(p, self, &t)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get target for filename transition rule"); }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return t;
|
|
+ };
|
|
+ %rename(get_object_class) wrap_get_object_class;
|
|
+ const qpol_class_t *wrap_get_object_class(qpol_policy_t *p) {
|
|
+ const qpol_class_t *cls;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_filename_trans_get_object_class(p, self, &cls)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get class for filename transition rule"); }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return cls;
|
|
+ };
|
|
+ %rename(get_default_type) wrap_get_default_type;
|
|
+ const qpol_type_t *wrap_get_default_type(qpol_policy_t *p) {
|
|
+ const qpol_type_t *t;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_filename_trans_get_default_type(p, self, &t)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get default for filename transition rule");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return t;
|
|
+ };
|
|
+ %rename(get_filename) wrap_get_filename;
|
|
+ const char *wrap_get_filename(qpol_policy_t *p) {
|
|
+ const char *name;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_filename_trans_get_filename(p, self, &name)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get file for filename transition rule");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return name;
|
|
+ };
|
|
+
|
|
+};
|
|
+%inline %{
|
|
+ qpol_filename_trans_t *qpol_filename_trans_from_void(void *x) {
|
|
+ return (qpol_filename_trans_t*)x;
|
|
+ };
|
|
+%}
|
|
+
|
|
+/* qpol polcap */
|
|
+typedef struct qpol_polcap {} qpol_polcap_t;
|
|
+%extend qpol_polcap_t {
|
|
+ qpol_polcap() {
|
|
+ BEGIN_EXCEPTION
|
|
+ SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_polcap_t objects");
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return NULL;
|
|
+ };
|
|
+ ~qpol_polcap() {
|
|
+ /* no op */
|
|
+ return;
|
|
+ };
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name(qpol_policy_t *p) {
|
|
+ const char *name;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_polcap_get_name(p, self, &name)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get polcap name rule");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return name;
|
|
+ };
|
|
+
|
|
+};
|
|
+%inline %{
|
|
+ qpol_polcap_t *qpol_polcap_from_void(void *x) {
|
|
+ return (qpol_polcap_t*)x;
|
|
+ };
|
|
+%}
|
|
+
|
|
+/* qpol typebounds */
|
|
+typedef struct qpol_typebounds {} qpol_typebounds_t;
|
|
+%extend qpol_typebounds_t {
|
|
+ qpol_typebounds() {
|
|
+ BEGIN_EXCEPTION
|
|
+ SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_typebounds_t objects");
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return NULL;
|
|
+ };
|
|
+ ~qpol_typebounds() {
|
|
+ /* no op */
|
|
+ return;
|
|
+ };
|
|
+ %rename(get_parent_name) wrap_get_parent_name;
|
|
+ const char *wrap_get_parent_name(qpol_policy_t *p) {
|
|
+ const char *name;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_typebounds_get_parent_name(p, self, &name)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get parent name");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return name;
|
|
+ };
|
|
+ %rename(get_child_name) wrap_get_child_name;
|
|
+ const char *wrap_get_child_name(qpol_policy_t *p) {
|
|
+ const char *name;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_typebounds_get_child_name(p, self, &name)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get child name");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return name;
|
|
+ };
|
|
+};
|
|
+%inline %{
|
|
+ qpol_typebounds_t *qpol_typebounds_from_void(void *x) {
|
|
+ return (qpol_typebounds_t*)x;
|
|
+ };
|
|
+%}
|
|
+
|
|
+/* qpol rolebounds */
|
|
+typedef struct qpol_rolebounds {} qpol_rolebounds_t;
|
|
+%extend qpol_rolebounds_t {
|
|
+ qpol_rolebounds() {
|
|
+ BEGIN_EXCEPTION
|
|
+ SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_rolebounds_t objects");
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return NULL;
|
|
+ };
|
|
+ ~qpol_rolebounds() {
|
|
+ /* no op */
|
|
+ return;
|
|
+ };
|
|
+ %rename(get_parent_name) wrap_get_parent_name;
|
|
+ const char *wrap_get_parent_name(qpol_policy_t *p) {
|
|
+ const char *name;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_rolebounds_get_parent_name(p, self, &name)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get parent name");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return name;
|
|
+ };
|
|
+ %rename(get_child_name) wrap_get_child_name;
|
|
+ const char *wrap_get_child_name(qpol_policy_t *p) {
|
|
+ const char *name;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_rolebounds_get_child_name(p, self, &name)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get child name");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return name;
|
|
+ };
|
|
+};
|
|
+%inline %{
|
|
+ qpol_rolebounds_t *qpol_rolebounds_from_void(void *x) {
|
|
+ return (qpol_rolebounds_t*)x;
|
|
+ };
|
|
+%}
|
|
+
|
|
+/* qpol userbounds */
|
|
+typedef struct qpol_userbounds {} qpol_userbounds_t;
|
|
+%extend qpol_userbounds_t {
|
|
+ qpol_userbounds() {
|
|
+ BEGIN_EXCEPTION
|
|
+ SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_userbounds_t objects");
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return NULL;
|
|
+ };
|
|
+ ~qpol_userbounds() {
|
|
+ /* no op */
|
|
+ return;
|
|
+ };
|
|
+ %rename(get_parent_name) wrap_get_parent_name;
|
|
+ const char *wrap_get_parent_name(qpol_policy_t *p) {
|
|
+ const char *name;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_userbounds_get_parent_name(p, self, &name)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get parent name");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return name;
|
|
+ };
|
|
+ %rename(get_child_name) wrap_get_child_name;
|
|
+ const char *wrap_get_child_name(qpol_policy_t *p) {
|
|
+ const char *name;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_userbounds_get_child_name(p, self, &name)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get child name");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return name;
|
|
+ };
|
|
+};
|
|
+%inline %{
|
|
+ qpol_userbounds_t *qpol_userbounds_from_void(void *x) {
|
|
+ return (qpol_userbounds_t*)x;
|
|
+ };
|
|
+%}
|
|
+
|
|
+/* qpol default_object */
|
|
+typedef struct qpol_default_object {} qpol_default_object_t;
|
|
+%extend qpol_default_object_t {
|
|
+ qpol_default_object() {
|
|
+ BEGIN_EXCEPTION
|
|
+ SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_default_object_t objects");
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return NULL;
|
|
+ };
|
|
+ ~qpol_default_object() {
|
|
+ /* no op */
|
|
+ return;
|
|
+ };
|
|
+ %rename(get_class) wrap_get_class;
|
|
+ const char *wrap_get_class(qpol_policy_t *p) {
|
|
+ const char *name;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_default_object_get_class(p, self, &name)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get class name");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return name;
|
|
+ };
|
|
+ %rename(get_user_default) wrap_get_user_default;
|
|
+ const char *wrap_get_user_default(qpol_policy_t *p) {
|
|
+ const char *value;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_default_object_get_user_default(p, self, &value)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get user default");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return value;
|
|
+ };
|
|
+ %rename(get_role_default) wrap_get_role_default;
|
|
+ const char *wrap_get_role_default(qpol_policy_t *p) {
|
|
+ const char *value;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_default_object_get_role_default(p, self, &value)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get role default");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return value;
|
|
+ };
|
|
+ %rename(get_type_default) wrap_get_type_default;
|
|
+ const char *wrap_get_type_default(qpol_policy_t *p) {
|
|
+ const char *value;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_default_object_get_type_default(p, self, &value)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get type default");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return value;
|
|
+ };
|
|
+ %rename(get_range_default) wrap_get_range_default;
|
|
+ const char *wrap_get_range_default(qpol_policy_t *p) {
|
|
+ const char *value;
|
|
+ BEGIN_EXCEPTION
|
|
+ if (qpol_default_object_get_range_default(p, self, &value)) {
|
|
+ SWIG_exception(SWIG_ValueError, "Could not get range defaults");
|
|
+ }
|
|
+ END_EXCEPTION
|
|
+ fail:
|
|
+ return value;
|
|
+ };
|
|
+};
|
|
+%inline %{
|
|
+ qpol_default_object_t *qpol_default_object_from_void(void *x) {
|
|
+ return (qpol_default_object_t*)x;
|
|
+ };
|
|
+%}
|
|
// vim:ft=c noexpandtab
|
|
diff --git a/libseaudit/swig/seaudit.i b/libseaudit/swig/seaudit.i
|
|
index 8c96d89..3bd5fe4 100644
|
|
--- a/libseaudit/swig/seaudit.i
|
|
+++ b/libseaudit/swig/seaudit.i
|
|
@@ -252,7 +252,7 @@ typedef struct tm {
|
|
int tm_isdst; /* daylight saving time */
|
|
} tm_t;
|
|
%extend tm_t {
|
|
- tm_t() {
|
|
+ tm() {
|
|
struct tm *t;
|
|
BEGIN_EXCEPTION
|
|
t = calloc(1, sizeof(struct tm));
|
|
@@ -263,7 +263,7 @@ typedef struct tm {
|
|
fail:
|
|
return t;
|
|
};
|
|
- ~tm_t() {
|
|
+ ~tm() {
|
|
free(self);
|
|
}
|
|
/* use default accessor style for the rest */
|
|
@@ -280,7 +280,7 @@ typedef enum seaudit_log_type
|
|
} seaudit_log_type_e;
|
|
typedef struct seaudit_log {} seaudit_log_t;
|
|
%extend seaudit_log_t {
|
|
- seaudit_log_t() {
|
|
+ seaudit_log() {
|
|
seaudit_log_t *slog;
|
|
BEGIN_EXCEPTION
|
|
slog = seaudit_log_create(seaudit_swig_message_callback, seaudit_swig_message_callback_arg);
|
|
@@ -291,14 +291,16 @@ typedef struct seaudit_log {} seaudit_log_t;
|
|
fail:
|
|
return slog;
|
|
};
|
|
- ~seaudit_log_t() {
|
|
+ ~seaudit_log() {
|
|
seaudit_log_destroy(&self);
|
|
};
|
|
- void clear () {
|
|
+ %rename(clear) wrap_clear;
|
|
+ void wrap_clear () {
|
|
seaudit_log_clear(self);
|
|
};
|
|
%newobject get_users();
|
|
- apol_string_vector_t *get_users() {
|
|
+ %rename(get_users) wrap_get_users;
|
|
+ apol_string_vector_t *wrap_get_users() {
|
|
apol_vector_t *v;
|
|
BEGIN_EXCEPTION
|
|
v = seaudit_log_get_users(self);
|
|
@@ -310,7 +312,8 @@ typedef struct seaudit_log {} seaudit_log_t;
|
|
return (apol_string_vector_t*)v;
|
|
};
|
|
%newobject get_roles();
|
|
- apol_string_vector_t *get_roles() {
|
|
+ %rename(get_roles) wrap_get_roles;
|
|
+ apol_string_vector_t *wrap_get_roles() {
|
|
apol_vector_t *v;
|
|
BEGIN_EXCEPTION
|
|
v = seaudit_log_get_roles(self);
|
|
@@ -322,7 +325,8 @@ typedef struct seaudit_log {} seaudit_log_t;
|
|
return (apol_string_vector_t*)v;
|
|
};
|
|
%newobject get_types();
|
|
- apol_string_vector_t *get_types() {
|
|
+ %rename(get_types) wrap_get_types;
|
|
+ apol_string_vector_t *wrap_get_types() {
|
|
apol_vector_t *v;
|
|
BEGIN_EXCEPTION
|
|
v = seaudit_log_get_types(self);
|
|
@@ -334,7 +338,8 @@ typedef struct seaudit_log {} seaudit_log_t;
|
|
return (apol_string_vector_t*)v;
|
|
};
|
|
%newobject get_classes();
|
|
- apol_string_vector_t *get_classes() {
|
|
+ %rename(get_classes) wrap_get_classes;
|
|
+ apol_string_vector_t *wrap_get_classes() {
|
|
apol_vector_t *v;
|
|
BEGIN_EXCEPTION
|
|
v = seaudit_log_get_classes(self);
|
|
@@ -357,14 +362,14 @@ typedef enum seaudit_message_type
|
|
} seaudit_message_type_e;
|
|
typedef struct seaudit_message {} seaudit_message_t;
|
|
%extend seaudit_message_t {
|
|
- seaudit_message_t() {
|
|
+ seaudit_message() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Canot directly create seaudit_message_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~seaudit_message_t() {
|
|
+ ~seaudit_message() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
@@ -373,18 +378,22 @@ typedef struct seaudit_message {} seaudit_message_t;
|
|
(void)seaudit_message_get_data(self, &te);
|
|
return te;
|
|
};
|
|
- void *get_data() {
|
|
+ %rename(get_data) wrap_get_data;
|
|
+ void *wrap_get_data() {
|
|
seaudit_message_type_e te;
|
|
return seaudit_message_get_data(self, &te);
|
|
};
|
|
- const char *get_host() {
|
|
+ %rename(get_host) wrap_get_host;
|
|
+ const char *wrap_get_host() {
|
|
return seaudit_message_get_host(self);
|
|
};
|
|
- const tm_t *get_time() {
|
|
+ %rename(get_time) wrap_get_time;
|
|
+ const tm_t *wrap_get_time() {
|
|
return seaudit_message_get_time(self);
|
|
}
|
|
%newobject to_string();
|
|
- char *to_string() {
|
|
+ %rename(to_string) wrap_to_string;
|
|
+ char *wrap_to_string() {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = seaudit_message_to_string(self);
|
|
@@ -396,7 +405,8 @@ typedef struct seaudit_message {} seaudit_message_t;
|
|
return str;
|
|
};
|
|
%newobject to_string_html();
|
|
- char *to_string_html() {
|
|
+ %rename(to_string_html) wrap_to_string_html;
|
|
+ char *wrap_to_string_html() {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = seaudit_message_to_string_html(self);
|
|
@@ -408,7 +418,8 @@ typedef struct seaudit_message {} seaudit_message_t;
|
|
return str;
|
|
};
|
|
%newobject to_misc_string();
|
|
- char *to_misc_string() {
|
|
+ %rename(to_misc_string) wrap_to_misc_string;
|
|
+ char *wrap_to_misc_string() {
|
|
char *str;
|
|
BEGIN_EXCEPTION
|
|
str = seaudit_message_to_misc_string(self);
|
|
@@ -429,14 +440,14 @@ typedef struct seaudit_message {} seaudit_message_t;
|
|
/* seaudit load message */
|
|
typedef struct seaudit_load_message {} seaudit_load_message_t;
|
|
%extend seaudit_load_message_t {
|
|
- seaudit_load_message_t() {
|
|
+ seaudit_load_message() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create seaudit_load_message_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~seaudit_load_message_t() {
|
|
+ ~seaudit_load_message() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
@@ -450,14 +461,14 @@ typedef struct seaudit_load_message {} seaudit_load_message_t;
|
|
/* seaudit bool message */
|
|
typedef struct seaudit_bool_message {} seaudit_bool_message_t;
|
|
%extend seaudit_bool_message_t {
|
|
- seaudit_bool_message_t(void *msg) {
|
|
+ seaudit_bool_message(void *msg) {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create seaudit_bool_message_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~seaudit_bool_message_t() {
|
|
+ ~seaudit_bool_message() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
@@ -477,102 +488,131 @@ typedef enum seaudit_avc_message_type
|
|
} seaudit_avc_message_type_e;
|
|
typedef struct seaudit_avc_message {} seaudit_avc_message_t;
|
|
%extend seaudit_avc_message_t {
|
|
- seaudit_avc_message_t() {
|
|
+ seaudit_avc_message() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create seaudit_avc_message_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- ~seaudit_avc_message_t() {
|
|
+ ~seaudit_avc_message() {
|
|
/* no op */
|
|
return;
|
|
};
|
|
- seaudit_avc_message_type_e get_message_type() {
|
|
+ %rename(get_message_type) wrap_get_message_type;
|
|
+ seaudit_avc_message_type_e wrap_get_message_type() {
|
|
return seaudit_avc_message_get_message_type(self);
|
|
};
|
|
- long get_timestamp_nano() {
|
|
+ %rename(get_timestamp_nano) wrap_get_timestamp_nano;
|
|
+ long wrap_get_timestamp_nano() {
|
|
return seaudit_avc_message_get_timestamp_nano(self);
|
|
};
|
|
- const char *get_source_user() {
|
|
+ %rename(get_source_user) wrap_get_source_user;
|
|
+ const char *wrap_get_source_user() {
|
|
return seaudit_avc_message_get_source_user(self);
|
|
};
|
|
- const char *get_source_role() {
|
|
+ %rename(get_source_role) wrap_get_source_role;
|
|
+ const char *wrap_get_source_role() {
|
|
return seaudit_avc_message_get_source_role(self);
|
|
};
|
|
- const char *get_source_type() {
|
|
+ %rename(get_source_type) wrap_get_source_type;
|
|
+ const char *wrap_get_source_type() {
|
|
return seaudit_avc_message_get_source_type(self);
|
|
};
|
|
- const char *get_target_user() {
|
|
+ %rename(get_target_user) wrap_get_target_user;
|
|
+ const char *wrap_get_target_user() {
|
|
return seaudit_avc_message_get_target_user(self);
|
|
};
|
|
- const char *get_target_role() {
|
|
+ %rename(get_target_role) wrap_get_target_role;
|
|
+ const char *wrap_get_target_role() {
|
|
return seaudit_avc_message_get_target_role(self);
|
|
};
|
|
- const char *get_target_type() {
|
|
+ %rename(get_target_type) wrap_get_target_type;
|
|
+ const char *wrap_get_target_type() {
|
|
return seaudit_avc_message_get_target_type(self);
|
|
};
|
|
- const char *get_object_class() {
|
|
+ %rename(get_object_class) wrap_get_object_class;
|
|
+ const char *wrap_get_object_class() {
|
|
return seaudit_avc_message_get_object_class(self);
|
|
};
|
|
- const apol_string_vector_t *get_perm() {
|
|
+ %rename(get_perm) wrap_get_perm;
|
|
+ const apol_string_vector_t *wrap_get_perm() {
|
|
return (apol_string_vector_t*)seaudit_avc_message_get_perm(self);
|
|
};
|
|
- const char *get_exe() {
|
|
+ %rename(get_exe) wrap_get_exe;
|
|
+ const char *wrap_get_exe() {
|
|
return seaudit_avc_message_get_exe(self);
|
|
};
|
|
- const char *get_comm() {
|
|
+ %rename(get_comm) wrap_get_comm;
|
|
+ const char *wrap_get_comm() {
|
|
return seaudit_avc_message_get_comm(self);
|
|
};
|
|
- const char *get_name() {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name() {
|
|
return seaudit_avc_message_get_name(self);
|
|
};
|
|
- int get_pid() {
|
|
+ %rename(get_pid) wrap_get_pid;
|
|
+ int wrap_get_pid() {
|
|
return (int)seaudit_avc_message_get_pid(self);
|
|
};
|
|
- long get_inode() {
|
|
+ %rename(get_inode) wrap_get_inode;
|
|
+ long wrap_get_inode() {
|
|
return (long)seaudit_avc_message_get_inode(self);
|
|
};
|
|
- const char *get_path() {
|
|
+ %rename(get_path) wrap_get_path;
|
|
+ const char *wrap_get_path() {
|
|
return seaudit_avc_message_get_path(self);
|
|
};
|
|
- const char *get_dev() {
|
|
+ %rename(get_dev) wrap_get_dev;
|
|
+ const char *wrap_get_dev() {
|
|
return seaudit_avc_message_get_dev(self);
|
|
};
|
|
- const char *get_netif() {
|
|
+ %rename(get_netif) wrap_get_netif;
|
|
+ const char *wrap_get_netif() {
|
|
return seaudit_avc_message_get_netif(self);
|
|
};
|
|
- int get_port() {
|
|
+ %rename(get_port) wrap_get_port;
|
|
+ int wrap_get_port() {
|
|
return seaudit_avc_message_get_port(self);
|
|
};
|
|
- const char *get_laddr() {
|
|
+ %rename(get_laddr) wrap_get_laddr;
|
|
+ const char *wrap_get_laddr() {
|
|
return seaudit_avc_message_get_laddr(self);
|
|
};
|
|
- int get_lport() {
|
|
+ %rename(get_lport) wrap_get_lport;
|
|
+ int wrap_get_lport() {
|
|
return seaudit_avc_message_get_lport(self);
|
|
};
|
|
- const char *get_faddr() {
|
|
+ %rename(get_faddr) wrap_get_faddr;
|
|
+ const char *wrap_get_faddr() {
|
|
return seaudit_avc_message_get_faddr(self);
|
|
};
|
|
- int get_fport() {
|
|
+ %rename(get_fport) wrap_get_fport;
|
|
+ int wrap_get_fport() {
|
|
return seaudit_avc_message_get_fport(self);
|
|
};
|
|
- const char *get_saddr() {
|
|
+ %rename(get_saddr) wrap_get_saddr;
|
|
+ const char *wrap_get_saddr() {
|
|
return seaudit_avc_message_get_saddr(self);
|
|
};
|
|
- int get_sport() {
|
|
+ %rename(get_sport) wrap_get_sport;
|
|
+ int wrap_get_sport() {
|
|
return seaudit_avc_message_get_sport(self);
|
|
};
|
|
- const char *get_daddr() {
|
|
+ %rename(get_daddr) wrap_get_daddr;
|
|
+ const char *wrap_get_daddr() {
|
|
return seaudit_avc_message_get_daddr(self);
|
|
};
|
|
- int get_dport() {
|
|
+ %rename(get_dport) wrap_get_dport;
|
|
+ int wrap_get_dport() {
|
|
return seaudit_avc_message_get_dport(self);
|
|
};
|
|
- int get_key() {
|
|
+ %rename(get_key) wrap_get_key;
|
|
+ int wrap_get_key() {
|
|
return seaudit_avc_message_get_key(self);
|
|
};
|
|
- int get_cap() {
|
|
+ %rename(get_cap) wrap_get_cap;
|
|
+ int wrap_get_cap() {
|
|
return seaudit_avc_message_get_cap(self);
|
|
};
|
|
};
|
|
@@ -608,7 +648,7 @@ typedef enum seaudit_filter_date_match
|
|
} seaudit_filter_date_match_e;
|
|
typedef struct seaudit_filter {} seaudit_filter_t;
|
|
%extend seaudit_filter_t {
|
|
- seaudit_filter_t(char *name = NULL) {
|
|
+ seaudit_filter(char *name = NULL) {
|
|
seaudit_filter_t *sf = NULL;
|
|
BEGIN_EXCEPTION
|
|
sf = seaudit_filter_create(name);
|
|
@@ -619,7 +659,7 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return sf;
|
|
};
|
|
- seaudit_filter_t(seaudit_filter_t *in) {
|
|
+ seaudit_filter(seaudit_filter_t *in) {
|
|
seaudit_filter_t *sf = NULL;
|
|
BEGIN_EXCEPTION
|
|
sf = seaudit_filter_create_from_filter(in);
|
|
@@ -630,7 +670,7 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return sf;
|
|
};
|
|
- ~seaudit_filter_t() {
|
|
+ ~seaudit_filter() {
|
|
seaudit_filter_destroy(&self);
|
|
};
|
|
void save(char *path) {
|
|
@@ -642,7 +682,8 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_match(seaudit_filter_match_e match) {
|
|
+ %rename(set_match) wrap_set_match;
|
|
+ void wrap_set_match(seaudit_filter_match_e match) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_match(self, match)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set filter matching method");
|
|
@@ -651,10 +692,12 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
}
|
|
- seaudit_filter_match_e get_match() {
|
|
+ %rename(get_match) wrap_get_match;
|
|
+ seaudit_filter_match_e wrap_get_match() {
|
|
return seaudit_filter_get_match(self);
|
|
};
|
|
- void set_name(char *name) {
|
|
+ %rename(set_name) wrap_set_name;
|
|
+ void wrap_set_name(char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_name(self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set filter name");
|
|
@@ -663,10 +706,12 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const char *get_name() {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name() {
|
|
return seaudit_filter_get_name(self);
|
|
};
|
|
- void set_description(char *description) {
|
|
+ %rename(set_description) wrap_set_description;
|
|
+ void wrap_set_description(char *description) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_description(self, description)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set filter description");
|
|
@@ -675,16 +720,20 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const char *get_description() {
|
|
+ %rename(get_description) wrap_get_description;
|
|
+ const char *wrap_get_description() {
|
|
return seaudit_filter_get_description(self);
|
|
};
|
|
- void set_strict(bool is_strict) {
|
|
+ %rename(set_strict) wrap_set_strict;
|
|
+ void wrap_set_strict(bool is_strict) {
|
|
seaudit_filter_set_strict(self, is_strict);
|
|
};
|
|
- bool get_strict() {
|
|
+ %rename(get_strict) wrap_get_strict;
|
|
+ bool wrap_get_strict() {
|
|
return seaudit_filter_get_strict(self);
|
|
};
|
|
- void set_source_user(apol_string_vector_t *v) {
|
|
+ %rename(set_source_user) wrap_set_source_user;
|
|
+ void wrap_set_source_user(apol_string_vector_t *v) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_source_user(self, (apol_vector_t*)v)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set source user list for filter");
|
|
@@ -693,10 +742,12 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const apol_string_vector_t *get_source_user() {
|
|
+ %rename(get_source_user) wrap_get_source_user;
|
|
+ const apol_string_vector_t *wrap_get_source_user() {
|
|
return (apol_string_vector_t*)seaudit_filter_get_source_user(self);
|
|
};
|
|
- void set_source_role(apol_string_vector_t *v) {
|
|
+ %rename(set_source_role) wrap_set_source_role;
|
|
+ void wrap_set_source_role(apol_string_vector_t *v) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_source_role(self, (apol_vector_t*)v)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set source role list for filter");
|
|
@@ -705,10 +756,12 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const apol_string_vector_t *get_source_role() {
|
|
+ %rename(get_source_role) wrap_get_source_role;
|
|
+ const apol_string_vector_t *wrap_get_source_role() {
|
|
return (apol_string_vector_t*)seaudit_filter_get_source_role(self);
|
|
};
|
|
- void set_source_type(apol_string_vector_t *v) {
|
|
+ %rename(set_source_type) wrap_set_source_type;
|
|
+ void wrap_set_source_type(apol_string_vector_t *v) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_source_type(self, (apol_vector_t*)v)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set source type list for filter");
|
|
@@ -717,10 +770,12 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const apol_string_vector_t *get_source_type() {
|
|
+ %rename(get_source_type) wrap_get_source_type;
|
|
+ const apol_string_vector_t *wrap_get_source_type() {
|
|
return (apol_string_vector_t*)seaudit_filter_get_source_type(self);
|
|
};
|
|
- void set_target_user(apol_string_vector_t *v) {
|
|
+ %rename(set_target_user) wrap_set_target_user;
|
|
+ void wrap_set_target_user(apol_string_vector_t *v) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_target_user(self, (apol_vector_t*)v)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set target user list for filter");
|
|
@@ -729,10 +784,12 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const apol_string_vector_t *get_target_user() {
|
|
+ %rename(get_target_user) wrap_get_target_user;
|
|
+ const apol_string_vector_t *wrap_get_target_user() {
|
|
return (apol_string_vector_t*)seaudit_filter_get_target_user(self);
|
|
};
|
|
- void set_target_role(apol_string_vector_t *v) {
|
|
+ %rename(set_target_role) wrap_set_target_role;
|
|
+ void wrap_set_target_role(apol_string_vector_t *v) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_target_role(self, (apol_vector_t*)v)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set target role list for filter");
|
|
@@ -741,10 +798,12 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const apol_string_vector_t *get_target_role() {
|
|
+ %rename(get_target_role) wrap_get_target_role;
|
|
+ const apol_string_vector_t *wrap_get_target_role() {
|
|
return (apol_string_vector_t*)seaudit_filter_get_target_role(self);
|
|
};
|
|
- void set_target_type(apol_string_vector_t *v) {
|
|
+ %rename(set_target_type) wrap_set_target_type;
|
|
+ void wrap_set_target_type(apol_string_vector_t *v) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_target_type(self, (apol_vector_t*)v)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set target type list for filter");
|
|
@@ -753,10 +812,12 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const apol_string_vector_t *get_target_type() {
|
|
+ %rename(get_target_type) wrap_get_target_type;
|
|
+ const apol_string_vector_t *wrap_get_target_type() {
|
|
return (apol_string_vector_t*)seaudit_filter_get_target_type(self);
|
|
};
|
|
- void set_target_class(apol_string_vector_t *v) {
|
|
+ %rename(set_target_class) wrap_set_target_class;
|
|
+ void wrap_set_target_class(apol_string_vector_t *v) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_target_class(self, (apol_vector_t*)v)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set target class list for filter");
|
|
@@ -765,10 +826,12 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const apol_string_vector_t *get_target_class() {
|
|
+ %rename(get_target_class) wrap_get_target_class;
|
|
+ const apol_string_vector_t *wrap_get_target_class() {
|
|
return (apol_string_vector_t*)seaudit_filter_get_target_class(self);
|
|
};
|
|
- void set_permission(char *name) {
|
|
+ %rename(set_permission) wrap_set_permission;
|
|
+ void wrap_set_permission(char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_permission(self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set permission for filter");
|
|
@@ -777,10 +840,12 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const char *get_permission() {
|
|
+ %rename(get_permission) wrap_get_permission;
|
|
+ const char *wrap_get_permission() {
|
|
return seaudit_filter_get_permission(self);
|
|
};
|
|
- void set_executable(char *name) {
|
|
+ %rename(set_executable) wrap_set_executable;
|
|
+ void wrap_set_executable(char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_executable(self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set executable for filter");
|
|
@@ -789,10 +854,12 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const char *get_executable() {
|
|
+ %rename(get_executable) wrap_get_executable;
|
|
+ const char *wrap_get_executable() {
|
|
return seaudit_filter_get_executable(self);
|
|
};
|
|
- void set_host(char *name) {
|
|
+ %rename(set_host) wrap_set_host;
|
|
+ void wrap_set_host(char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_host(self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set host for filter");
|
|
@@ -801,10 +868,12 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const char *get_host() {
|
|
+ %rename(get_host) wrap_get_host;
|
|
+ const char *wrap_get_host() {
|
|
return seaudit_filter_get_host(self);
|
|
};
|
|
- void set_path(char *path) {
|
|
+ %rename(set_path) wrap_set_path;
|
|
+ void wrap_set_path(char *path) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_path(self, path)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set path for filter");
|
|
@@ -813,10 +882,12 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const char *get_path() {
|
|
+ %rename(get_path) wrap_get_path;
|
|
+ const char *wrap_get_path() {
|
|
return seaudit_filter_get_path(self);
|
|
};
|
|
- void set_command(char *name) {
|
|
+ %rename(set_command) wrap_set_command;
|
|
+ void wrap_set_command(char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_command(self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set command for filter");
|
|
@@ -825,22 +896,28 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_inode(long inode) {
|
|
+ %rename(set_inode) wrap_set_inode;
|
|
+ void wrap_set_inode(long inode) {
|
|
seaudit_filter_set_inode(self, (long) inode);
|
|
};
|
|
- long get_inode() {
|
|
+ %rename(get_inode) wrap_get_inode;
|
|
+ long wrap_get_inode() {
|
|
return (long) seaudit_filter_get_inode(self);
|
|
};
|
|
- void set_pid(long pid) {
|
|
+ %rename(set_pid) wrap_set_pid;
|
|
+ void wrap_set_pid(long pid) {
|
|
seaudit_filter_set_pid(self, (unsigned int) pid);
|
|
};
|
|
- long get_pid() {
|
|
+ %rename(get_pid) wrap_get_pid;
|
|
+ long wrap_get_pid() {
|
|
return (long) seaudit_filter_get_pid(self);
|
|
};
|
|
- const char *get_command() {
|
|
+ %rename(get_command) wrap_get_command;
|
|
+ const char *wrap_get_command() {
|
|
return seaudit_filter_get_command(self);
|
|
};
|
|
- void set_anyaddr(char *name) {
|
|
+ %rename(set_anyaddr) wrap_set_anyaddr;
|
|
+ void wrap_set_anyaddr(char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_anyaddr(self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set ip address for filter");
|
|
@@ -849,16 +926,20 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const char *get_anyaddr() {
|
|
+ %rename(get_anyaddr) wrap_get_anyaddr;
|
|
+ const char *wrap_get_anyaddr() {
|
|
return seaudit_filter_get_anyaddr(self);
|
|
};
|
|
- void set_anyport(int port) {
|
|
+ %rename(set_anyport) wrap_set_anyport;
|
|
+ void wrap_set_anyport(int port) {
|
|
seaudit_filter_set_anyport(self, port);
|
|
};
|
|
- int get_anyport() {
|
|
+ %rename(get_anyport) wrap_get_anyport;
|
|
+ int wrap_get_anyport() {
|
|
return seaudit_filter_get_anyport(self);
|
|
};
|
|
- void set_laddr(char *name) {
|
|
+ %rename(set_laddr) wrap_set_laddr;
|
|
+ void wrap_set_laddr(char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_laddr(self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set local address for filter");
|
|
@@ -867,16 +948,20 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const char *get_laddr() {
|
|
+ %rename(get_laddr) wrap_get_laddr;
|
|
+ const char *wrap_get_laddr() {
|
|
return seaudit_filter_get_laddr(self);
|
|
};
|
|
- void set_lport(int port) {
|
|
+ %rename(set_lport) wrap_set_lport;
|
|
+ void wrap_set_lport(int port) {
|
|
seaudit_filter_set_lport(self, port);
|
|
};
|
|
- int get_lport() {
|
|
+ %rename(get_lport) wrap_get_lport;
|
|
+ int wrap_get_lport() {
|
|
return seaudit_filter_get_lport(self);
|
|
};
|
|
- void set_faddr(char *name) {
|
|
+ %rename(set_faddr) wrap_set_faddr;
|
|
+ void wrap_set_faddr(char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_faddr(self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set foreign address for filter");
|
|
@@ -885,16 +970,20 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const char *get_faddr() {
|
|
+ %rename(get_faddr) wrap_get_faddr;
|
|
+ const char *wrap_get_faddr() {
|
|
return seaudit_filter_get_faddr(self);
|
|
};
|
|
- void set_fport(int port) {
|
|
+ %rename(set_fport) wrap_set_fport;
|
|
+ void wrap_set_fport(int port) {
|
|
seaudit_filter_set_fport(self, port);
|
|
};
|
|
- int get_fport() {
|
|
+ %rename(get_fport) wrap_get_fport;
|
|
+ int wrap_get_fport() {
|
|
return seaudit_filter_get_fport(self);
|
|
};
|
|
- void set_saddr(char *name) {
|
|
+ %rename(set_saddr) wrap_set_saddr;
|
|
+ void wrap_set_saddr(char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_saddr(self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set source address for filter");
|
|
@@ -903,16 +992,20 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const char *get_saddr() {
|
|
+ %rename(get_saddr) wrap_get_saddr;
|
|
+ const char *wrap_get_saddr() {
|
|
return seaudit_filter_get_saddr(self);
|
|
};
|
|
- void set_sport(int port) {
|
|
+ %rename(set_sport) wrap_set_sport;
|
|
+ void wrap_set_sport(int port) {
|
|
seaudit_filter_set_sport(self, port);
|
|
};
|
|
- int get_sport() {
|
|
+ %rename(get_sport) wrap_get_sport;
|
|
+ int wrap_get_sport() {
|
|
return seaudit_filter_get_sport(self);
|
|
};
|
|
- void set_daddr(char *name) {
|
|
+ %rename(set_daddr) wrap_set_daddr;
|
|
+ void wrap_set_daddr(char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_daddr(self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set destination address for filter");
|
|
@@ -921,22 +1014,28 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const char *get_daddr() {
|
|
+ %rename(get_daddr) wrap_get_daddr;
|
|
+ const char *wrap_get_daddr() {
|
|
return seaudit_filter_get_daddr(self);
|
|
};
|
|
- void set_dport(int port) {
|
|
+ %rename(set_dport) wrap_set_dport;
|
|
+ void wrap_set_dport(int port) {
|
|
seaudit_filter_set_dport(self, port);
|
|
};
|
|
- int get_dport() {
|
|
+ %rename(get_dport) wrap_get_dport;
|
|
+ int wrap_get_dport() {
|
|
return seaudit_filter_get_dport(self);
|
|
};
|
|
- void set_port(int port) {
|
|
+ %rename(set_port) wrap_set_port;
|
|
+ void wrap_set_port(int port) {
|
|
seaudit_filter_set_port(self, port);
|
|
};
|
|
- int get_port() {
|
|
+ %rename(get_port) wrap_get_port;
|
|
+ int wrap_get_port() {
|
|
return seaudit_filter_get_port(self);
|
|
};
|
|
- void set_netif(char *name) {
|
|
+ %rename(set_netif) wrap_set_netif;
|
|
+ void wrap_set_netif(char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_netif(self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set network interface for filter");
|
|
@@ -945,22 +1044,28 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const char *get_netif() {
|
|
+ %rename(get_netif) wrap_get_netif;
|
|
+ const char *wrap_get_netif() {
|
|
return seaudit_filter_get_netif(self);
|
|
};
|
|
- void set_key(int key) {
|
|
+ %rename(set_key) wrap_set_key;
|
|
+ void wrap_set_key(int key) {
|
|
seaudit_filter_set_key(self, key);
|
|
};
|
|
- int get_key() {
|
|
+ %rename(get_key) wrap_get_key;
|
|
+ int wrap_get_key() {
|
|
return seaudit_filter_get_key(self);
|
|
};
|
|
- void set_cap(int cap) {
|
|
+ %rename(set_cap) wrap_set_cap;
|
|
+ void wrap_set_cap(int cap) {
|
|
seaudit_filter_set_cap(self, cap);
|
|
};
|
|
- int get_cap() {
|
|
+ %rename(get_cap) wrap_get_cap;
|
|
+ int wrap_get_cap() {
|
|
return seaudit_filter_get_cap(self);
|
|
};
|
|
- void set_message_type(seaudit_avc_message_type_e mtype) {
|
|
+ %rename(set_message_type) wrap_set_message_type;
|
|
+ void wrap_set_message_type(seaudit_avc_message_type_e mtype) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_message_type(self, mtype)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set message type for filter");
|
|
@@ -969,10 +1074,12 @@ typedef struct seaudit_filter {} seaudit_filter_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- seaudit_message_type_e get_message_type() {
|
|
+ %rename(get_message_type) wrap_get_message_type;
|
|
+ seaudit_message_type_e wrap_get_message_type() {
|
|
return seaudit_filter_get_message_type(self);
|
|
};
|
|
- void set_date(struct tm *start, struct tm *end, seaudit_filter_date_match_e match) {
|
|
+ %rename(set_date) wrap_set_date;
|
|
+ void wrap_set_date(struct tm *start, struct tm *end, seaudit_filter_date_match_e match) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_filter_set_date(self, start, end, match)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set date for filter");
|
|
@@ -1014,14 +1121,14 @@ apol_vector_t *seaudit_filter_create_from_file(const char *filename);
|
|
/* seaudit sort */
|
|
typedef struct seaudit_sort {} seaudit_sort_t;
|
|
%extend seaudit_sort_t {
|
|
- seaudit_sort_t() {
|
|
+ seaudit_sort() {
|
|
BEGIN_EXCEPTION
|
|
SWIG_exception(SWIG_RuntimeError, "Cannot directly create seaudit_sort_t objects");
|
|
END_EXCEPTION
|
|
fail:
|
|
return NULL;
|
|
};
|
|
- seaudit_sort_t(seaudit_sort_t *in) {
|
|
+ seaudit_sort(seaudit_sort_t *in) {
|
|
seaudit_sort_t *ss = NULL;
|
|
BEGIN_EXCEPTION
|
|
ss = seaudit_sort_create_from_sort(in);
|
|
@@ -1032,7 +1139,7 @@ typedef struct seaudit_sort {} seaudit_sort_t;
|
|
fail:
|
|
return ss;
|
|
};
|
|
- ~seaudit_sort_t() {
|
|
+ ~seaudit_sort() {
|
|
seaudit_sort_destroy(&self);
|
|
};
|
|
};
|
|
@@ -1113,7 +1220,7 @@ extern seaudit_sort_t *seaudit_sort_by_cap(const int direction);
|
|
#endif
|
|
typedef struct seaudit_model {} seaudit_model_t;
|
|
%extend seaudit_model_t {
|
|
- seaudit_model_t(char *name = NULL, seaudit_log_t *slog = NULL) {
|
|
+ seaudit_model(char *name = NULL, seaudit_log_t *slog = NULL) {
|
|
seaudit_model_t *smod;
|
|
BEGIN_EXCEPTION
|
|
smod = seaudit_model_create(name, slog);
|
|
@@ -1124,7 +1231,7 @@ typedef struct seaudit_model {} seaudit_model_t;
|
|
fail:
|
|
return smod;
|
|
};
|
|
- seaudit_model_t(seaudit_model_t *in) {
|
|
+ seaudit_model(seaudit_model_t *in) {
|
|
seaudit_model_t *smod;
|
|
BEGIN_EXCEPTION
|
|
smod = seaudit_model_create_from_model(in);
|
|
@@ -1135,7 +1242,7 @@ typedef struct seaudit_model {} seaudit_model_t;
|
|
fail:
|
|
return smod;
|
|
};
|
|
- seaudit_model_t(char *path) {
|
|
+ seaudit_model(char *path) {
|
|
seaudit_model_t *smod;
|
|
BEGIN_EXCEPTION
|
|
smod = seaudit_model_create_from_file(path);
|
|
@@ -1146,7 +1253,7 @@ typedef struct seaudit_model {} seaudit_model_t;
|
|
fail:
|
|
return smod;
|
|
}
|
|
- ~seaudit_model_t() {
|
|
+ ~seaudit_model() {
|
|
seaudit_model_destroy(&self);
|
|
};
|
|
void save(char *path) {
|
|
@@ -1158,10 +1265,12 @@ typedef struct seaudit_model {} seaudit_model_t;
|
|
fail:
|
|
return;
|
|
}
|
|
- const char *get_name() {
|
|
+ %rename(get_name) wrap_get_name;
|
|
+ const char *wrap_get_name() {
|
|
return seaudit_model_get_name(self);
|
|
};
|
|
- void set_name(char *name) {
|
|
+ %rename(set_name) wrap_set_name;
|
|
+ void wrap_set_name(char *name) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_model_set_name(self, name)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set model name");
|
|
@@ -1170,7 +1279,8 @@ typedef struct seaudit_model {} seaudit_model_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void append_log(seaudit_log_t *slog) {
|
|
+ %rename(append_log) wrap_append_log;
|
|
+ void wrap_append_log(seaudit_log_t *slog) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_model_append_log(self, slog)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not append log to model");
|
|
@@ -1179,7 +1289,8 @@ typedef struct seaudit_model {} seaudit_model_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void append_filter(seaudit_filter_t *filter) {
|
|
+ %rename(append_filter) wrap_append_filter;
|
|
+ void wrap_append_filter(seaudit_filter_t *filter) {
|
|
BEGIN_EXCEPTION
|
|
#ifdef SWIGJAVA /* duplicate so the garbage collector does not double free */
|
|
seaudit_filter_t *tmp = seaudit_filter_create_from_filter(filter);
|
|
@@ -1196,11 +1307,13 @@ typedef struct seaudit_model {} seaudit_model_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- const apol_vector_t *get_filters() {
|
|
+ %rename(get_filters) wrap_get_filters;
|
|
+ const apol_vector_t *wrap_get_filters() {
|
|
return seaudit_model_get_filters(self);
|
|
};
|
|
%delobject remove_filter();
|
|
- void remove_filter(seaudit_filter_t *filter) {
|
|
+ %rename(remove_filter) wrap_remove_filter;
|
|
+ void wrap_remove_filter(seaudit_filter_t *filter) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_model_remove_filter(self, filter)) {
|
|
SWIG_exception(SWIG_ValueError, "Could not remove filter");
|
|
@@ -1209,7 +1322,8 @@ typedef struct seaudit_model {} seaudit_model_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_filter_match(seaudit_filter_match_e match) {
|
|
+ %rename(set_filter_match) wrap_set_filter_match;
|
|
+ void wrap_set_filter_match(seaudit_filter_match_e match) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_model_set_filter_match(self, match)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set filter matching method for model");
|
|
@@ -1218,10 +1332,12 @@ typedef struct seaudit_model {} seaudit_model_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- seaudit_filter_match_e get_filter_match() {
|
|
+ %rename(get_filter_match) wrap_get_filter_match;
|
|
+ seaudit_filter_match_e wrap_get_filter_match() {
|
|
return seaudit_model_get_filter_match(self);
|
|
};
|
|
- void set_filter_visible(seaudit_filter_visible_e vis) {
|
|
+ %rename(set_filter_visible) wrap_set_filter_visible;
|
|
+ void wrap_set_filter_visible(seaudit_filter_visible_e vis) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_model_set_filter_visible(self, vis)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set filter visibility for model");
|
|
@@ -1230,10 +1346,12 @@ typedef struct seaudit_model {} seaudit_model_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- seaudit_filter_visible_e get_filter_visible() {
|
|
+ %rename(get_filter_visible) wrap_get_filter_visible;
|
|
+ seaudit_filter_visible_e wrap_get_filter_visible() {
|
|
return seaudit_model_get_filter_visible(self);
|
|
};
|
|
- void append_sort(seaudit_sort_t *ssort) {
|
|
+ %rename(append_sort) wrap_append_sort;
|
|
+ void wrap_append_sort(seaudit_sort_t *ssort) {
|
|
BEGIN_EXCEPTION
|
|
#ifdef SWIGJAVA
|
|
seaudit_sort_t *tmp = seaudit_sort_create_from_sort(ssort);
|
|
@@ -1250,7 +1368,8 @@ typedef struct seaudit_model {} seaudit_model_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void clear_sorts() {
|
|
+ %rename(clear_sorts) wrap_clear_sorts;
|
|
+ void wrap_clear_sorts() {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_model_clear_sorts(self)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not clear model sorting criteria");
|
|
@@ -1259,11 +1378,13 @@ typedef struct seaudit_model {} seaudit_model_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- int is_changed() {
|
|
+ %rename(is_changed) wrap_is_changed;
|
|
+ int wrap_is_changed() {
|
|
return seaudit_model_is_changed(self);
|
|
};
|
|
%newobject get_messages(seaudit_log_t*);
|
|
- apol_vector_t *get_messages(seaudit_log_t *slog) {
|
|
+ %rename(get_messages) wrap_get_messages;
|
|
+ apol_vector_t *wrap_get_messages(seaudit_log_t *slog) {
|
|
apol_vector_t *v = NULL;
|
|
BEGIN_EXCEPTION
|
|
v = seaudit_model_get_messages(slog, self);
|
|
@@ -1275,7 +1396,8 @@ typedef struct seaudit_model {} seaudit_model_t;
|
|
return v;
|
|
};
|
|
%newobject get_malformed_messages(seaudit_log_t*);
|
|
- apol_vector_t *get_malformed_messages(seaudit_log_t *slog) {
|
|
+ %rename(get_malformed_messages) wrap_get_malformed_messages;
|
|
+ apol_vector_t *wrap_get_malformed_messages(seaudit_log_t *slog) {
|
|
apol_vector_t *v = NULL;
|
|
BEGIN_EXCEPTION
|
|
v = seaudit_model_get_malformed_messages(slog, self);
|
|
@@ -1286,19 +1408,24 @@ typedef struct seaudit_model {} seaudit_model_t;
|
|
fail:
|
|
return v;
|
|
};
|
|
- void hide_message(seaudit_message_t *message) {
|
|
+ %rename(hide_message) wrap_hide_message;
|
|
+ void wrap_hide_message(seaudit_message_t *message) {
|
|
seaudit_model_hide_message(self, message);
|
|
};
|
|
- size_t get_num_allows(seaudit_log_t *slog) {
|
|
+ %rename(get_num_allows) wrap_get_num_allows;
|
|
+ size_t wrap_get_num_allows(seaudit_log_t *slog) {
|
|
return seaudit_model_get_num_allows(slog, self);
|
|
};
|
|
- size_t get_num_denies(seaudit_log_t *slog) {
|
|
+ %rename(get_num_denies) wrap_get_num_denies;
|
|
+ size_t wrap_get_num_denies(seaudit_log_t *slog) {
|
|
return seaudit_model_get_num_denies(slog, self);
|
|
};
|
|
- size_t get_num_bools(seaudit_log_t *slog) {
|
|
+ %rename(get_num_bools) wrap_get_num_bools;
|
|
+ size_t wrap_get_num_bools(seaudit_log_t *slog) {
|
|
return seaudit_model_get_num_bools(slog, self);
|
|
};
|
|
- size_t get_num_loads(seaudit_log_t *slog) {
|
|
+ %rename(get_num_loads) wrap_get_num_loads;
|
|
+ size_t wrap_get_num_loads(seaudit_log_t *slog) {
|
|
return seaudit_model_get_num_loads(slog, self);
|
|
};
|
|
};
|
|
@@ -1311,7 +1438,7 @@ typedef enum seaudit_report_format
|
|
} seaudit_report_format_e;
|
|
typedef struct seaudit_report {} seaudit_report_t;
|
|
%extend seaudit_report_t {
|
|
- seaudit_report_t(seaudit_model_t *m) {
|
|
+ seaudit_report(seaudit_model_t *m) {
|
|
seaudit_report_t *sr;
|
|
BEGIN_EXCEPTION
|
|
sr = seaudit_report_create(m);
|
|
@@ -1322,10 +1449,11 @@ typedef struct seaudit_report {} seaudit_report_t;
|
|
fail:
|
|
return sr;
|
|
};
|
|
- ~seaudit_report_t() {
|
|
+ ~seaudit_report() {
|
|
seaudit_report_destroy(&self);
|
|
};
|
|
- void write(seaudit_log_t *slog, char *path) {
|
|
+ %rename(write) wrap_write;
|
|
+ void wrap_write(seaudit_log_t *slog, char *path) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_report_write(slog, self, path)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not write report to file");
|
|
@@ -1334,7 +1462,8 @@ typedef struct seaudit_report {} seaudit_report_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_format(seaudit_log_t *slog, seaudit_report_format_e format) {
|
|
+ %rename(set_format) wrap_set_format;
|
|
+ void wrap_set_format(seaudit_log_t *slog, seaudit_report_format_e format) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_report_set_format(slog, self, format)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set report format");
|
|
@@ -1343,7 +1472,8 @@ typedef struct seaudit_report {} seaudit_report_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_configuration(seaudit_log_t *slog, char *path) {
|
|
+ %rename(set_configuration) wrap_set_configuration;
|
|
+ void wrap_set_configuration(seaudit_log_t *slog, char *path) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_report_set_configuration(slog, self, path)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set report configuration file");
|
|
@@ -1352,7 +1482,8 @@ typedef struct seaudit_report {} seaudit_report_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_stylesheet(seaudit_log_t *slog, char *path, int use_stylesheet) {
|
|
+ %rename(set_stylesheet) wrap_set_stylesheet;
|
|
+ void wrap_set_stylesheet(seaudit_log_t *slog, char *path, int use_stylesheet) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_report_set_stylesheet(slog, self, path, use_stylesheet)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set report stylesheet");
|
|
@@ -1361,7 +1492,8 @@ typedef struct seaudit_report {} seaudit_report_t;
|
|
fail:
|
|
return;
|
|
};
|
|
- void set_malformed(seaudit_log_t *slog, int do_malformed) {
|
|
+ %rename(set_malformed) wrap_set_malformed;
|
|
+ void wrap_set_malformed(seaudit_log_t *slog, int do_malformed) {
|
|
BEGIN_EXCEPTION
|
|
if (seaudit_report_set_malformed(slog, self, do_malformed)) {
|
|
SWIG_exception(SWIG_RuntimeError, "Could not set report malformed flag");
|
|
diff --git a/libsefs/src/db.cc b/libsefs/src/db.cc
|
|
index 88ad588..191d796 100644
|
|
--- a/libsefs/src/db.cc
|
|
+++ b/libsefs/src/db.cc
|
|
@@ -479,8 +479,13 @@ int db_create_from_filesystem(sefs_fclist * fclist __attribute__ ((unused)), con
|
|
struct stat64 sb;
|
|
if (stat64(path, &sb) == -1)
|
|
{
|
|
- SEFS_ERR(dbc->_db, "%s", strerror(errno));
|
|
- throw std::bad_alloc();
|
|
+ /* If sym link broken/file not found, then ignore as this will allow
|
|
+ the index to be built. Useful when investigating broken systems.
|
|
+ Also see new_ftw.c comment regarding "lstat calls go through the
|
|
+ wrapper function" to stop index hanging on broken files. */
|
|
+ link_target[127] = '\0';
|
|
+ sb.st_mode = 0;
|
|
+ SEFS_WARN(dbc->_db, "Could not stat file: %s - ignoring", path);
|
|
}
|
|
if (S_ISLNK(sb.st_mode))
|
|
{
|
|
diff --git a/libsefs/src/new_ftw.c b/libsefs/src/new_ftw.c
|
|
index 5ebaf29..10eb78f 100644
|
|
--- a/libsefs/src/new_ftw.c
|
|
+++ b/libsefs/src/new_ftw.c
|
|
@@ -131,7 +131,11 @@ extern char *xgetcwd(void);
|
|
/* Arrange to make lstat calls go through the wrapper function
|
|
on systems with an lstat function that does not dereference symlinks
|
|
that are specified with a trailing slash. */
|
|
-#if ! _LIBC && ! LSTAT_FOLLOWS_SLASHED_SYMLINK
|
|
+/* If this is used on Linux (Fedora) when a sym link or file is broken,
|
|
+ the file context function will hang forever:
|
|
+ #if ! _LIBC && ! LSTAT_FOLLOWS_SLASHED_SYMLINK
|
|
+ Therefore changed to this so uses Linux lstat function. */
|
|
+#if _LIBC && ! LSTAT_FOLLOWS_SLASHED_SYMLINK
|
|
int rpl_lstat(const char *, struct stat *);
|
|
# undef lstat
|
|
# define lstat(Name, Stat_buf) rpl_lstat(Name, Stat_buf)
|
|
diff --git a/secmds/replcon.cc b/secmds/replcon.cc
|
|
index 34f7c1a..307c39f 100644
|
|
--- a/secmds/replcon.cc
|
|
+++ b/secmds/replcon.cc
|
|
@@ -60,7 +60,7 @@ static struct option const longopts[] = {
|
|
{NULL, 0, NULL, 0}
|
|
};
|
|
|
|
-extern int lsetfilecon_raw(const char *, security_context_t) __attribute__ ((weak));
|
|
+extern int lsetfilecon_raw(const char *, const char *) __attribute__ ((weak));
|
|
|
|
/**
|
|
* As that setools must work with older libselinux versions that may
|
|
diff --git a/sediff/progress.c b/sediff/progress.c
|
|
index efaa120..09730dc 100644
|
|
--- a/sediff/progress.c
|
|
+++ b/sediff/progress.c
|
|
@@ -99,7 +99,7 @@ void progress_hide(progress_t * progress)
|
|
|
|
int progress_wait(progress_t * progress)
|
|
{
|
|
- GTimeVal wait_time = { 0, 50000 };
|
|
+ gint64 wait_time;
|
|
g_mutex_lock(progress->mutex);
|
|
while (!progress->done) {
|
|
if (progress->s != NULL) {
|
|
@@ -111,7 +111,8 @@ int progress_wait(progress_t * progress)
|
|
// still be loading, and this dialog should not block
|
|
// until the entire source has been read
|
|
gtk_main_iteration_do(FALSE);
|
|
- g_cond_timed_wait(progress->cond, progress->mutex, &wait_time);
|
|
+ wait_time = g_get_monotonic_time () + 50000;
|
|
+ g_cond_wait_until(progress->cond, progress->mutex, wait_time);
|
|
}
|
|
g_mutex_unlock(progress->mutex);
|
|
if (progress->done < 0) {
|