/usr/include/apol/rbacrule-query.h is in libapol-dev 3.3.6.ds-7.2ubuntu4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 | /**
* @file
*
* Routines to query (role) allow and role_transition rules of a
* policy. This does not include access vector's allow rules, which
* are found in avrule-query.h.
*
* @author Jeremy A. Mowery jmowery@tresys.com
* @author Jason Tang jtang@tresys.com
*
* Copyright (C) 2006-2007 Tresys Technology, LLC
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#ifndef APOL_RBACRULE_QUERY_H
#define APOL_RBACRULE_QUERY_H
#ifdef __cplusplus
extern "C"
{
#endif
#include "policy.h"
#include "vector.h"
#include <qpol/policy.h>
typedef struct apol_role_allow_query apol_role_allow_query_t;
typedef struct apol_role_trans_query apol_role_trans_query_t;
/******************** (role) allow queries ********************/
/**
* Execute a query against all (role) allow rules within the policy.
*
* @param p Policy within which to look up allow rules.
* @param r Structure containing parameters for query. If this is
* NULL then return all allow rules.
* @param v Reference to a vector of qpol_role_allow_t. The vector
* will be allocated by this function. The caller must call
* apol_vector_destroy() afterwards. This will be set to NULL upon no
* results or upon error.
*
* @return 0 on success (including none found), negative on error.
*/
extern int apol_role_allow_get_by_query(const apol_policy_t * p, const apol_role_allow_query_t * r, apol_vector_t ** v);
/**
* Allocate and return a new role allow query structure. All fields
* are initialized, such that running this blank query results in
* returning all (role) allows within the policy. The caller must
* call apol_role_allow_query_destroy() upon the return value
* afterwards.
*
* @return An initialized role allow query structure, or NULL upon
* error.
*/
extern apol_role_allow_query_t *apol_role_allow_query_create(void);
/**
* Deallocate all memory associated with the referenced role allow
* query, and then set it to NULL. This function does nothing if the
* query is already NULL.
*
* @param r Reference to a role allow query structure to destroy.
*/
extern void apol_role_allow_query_destroy(apol_role_allow_query_t ** r);
/**
* Set a role allow query to return rules with a particular source
* role.
*
* @param p Policy handler, to report errors.
* @param r Role allow query to set.
* @param role Limit query to rules with this role as their source, or
* NULL to unset this field.
*
* @return 0 on success, negative on error.
*/
extern int apol_role_allow_query_set_source(const apol_policy_t * p, apol_role_allow_query_t * r, const char *role);
/**
* Set a role allow query to return rules with a particular target
* role. This field is ignored if
* apol_role_allow_query_set_source_any() is set to non-zero.
*
* @param p Policy handler, to report errors.
* @param r Role allow query to set.
* @param role Limit query to rules with this role as their target, or
* NULL to unset this field.
*
* @return 0 on success, negative on error.
*/
extern int apol_role_allow_query_set_target(const apol_policy_t * p, apol_role_allow_query_t * r, const char *role);
/**
* Set a role allow query to treat the source role as any. That is,
* use the same symbol for either source or target of a (role) allow
* rule. This flag does nothing if the source role is not set.
*
* @param p Policy handler, to report errors.
* @param r Role allow query to set.
* @param is_any Non-zero to use source symbol for any field, 0 to
* keep source as only source.
*
* @return Always 0.
*/
extern int apol_role_allow_query_set_source_any(const apol_policy_t * p, apol_role_allow_query_t * r, int is_any);
/**
* Set a role allow query to use regular expression searching for
* source and target fields. Strings will be treated as regexes
* instead of literals.
*
* @param p Policy handler, to report errors.
* @param r Role allow query to set.
* @param is_regex Non-zero to enable regex searching, 0 to disable.
*
* @return Always 0.
*/
extern int apol_role_allow_query_set_regex(const apol_policy_t * p, apol_role_allow_query_t * r, int is_regex);
/**
* Render a role allow rule to a string.
*
* @param policy Policy handler, to report errors.
* @param rule The rule to render.
*
* @return a newly malloc()'d string representation of the rule, or NULL on
* failure; if the call fails, errno will be set. The caller is responsible
* for calling free() on the returned string.
*/
extern char *apol_role_allow_render(const apol_policy_t * policy, const qpol_role_allow_t * rule);
/******************** role_transition queries ********************/
/**
* Execute a query against all role_transition rules within the
* policy.
*
* @param p Policy within which to look up role_transition rules.
* @param r Structure containing parameters for query. If this is
* NULL then return all role_transition rules.
* @param v Reference to a vector of qpol_role_trans_t. The vector
* will be allocated by this function. The caller must call
* apol_vector_destroy() afterwards. This will be set to NULL upon no
* results or upon error.
*
* @return 0 on success (including none found), negative on error.
*/
extern int apol_role_trans_get_by_query(const apol_policy_t * p, const apol_role_trans_query_t * r, apol_vector_t ** v);
/**
* Allocate and return a new role trans query structure. All fields
* are initialized, such that running this blank query results in
* returning all role_transitions within the policy. The caller must
* call apol_role_trans_query_destroy() upon the return value
* afterwards.
*
* @return An initialized role trans query structure, or NULL upon
* error.
*/
extern apol_role_trans_query_t *apol_role_trans_query_create(void);
/**
* Deallocate all memory associated with the referenced role trans
* query, and then set it to NULL. This function does nothing if the
* query is already NULL.
*
* @param r Reference to a role trans query structure to destroy.
*/
extern void apol_role_trans_query_destroy(apol_role_trans_query_t ** r);
/**
* Set a role trans query to return rules with a particular source
* role.
*
* @param p Policy handler, to report errors.
* @param r Role trans query to set.
* @param role Limit query to rules with this role as their source, or
* NULL to unset this field.
*
* @return 0 on success, negative on error.
*/
extern int apol_role_trans_query_set_source(const apol_policy_t * p, apol_role_trans_query_t * r, const char *role);
/**
* Set a role trans query to return rules with a particular target
* symbol. Symbol may be a type or attribute; if it is an alias then
* the query will convert it to its primary prior to searching. If
* is_indirect is non-zero then the search will be done indirectly.
* If the symbol is a type, then the query matches rules with one of
* the type's attributes. If the symbol is an attribute, then it
* matches rule with any of the attribute's types.
*
* @param p Policy handler, to report errors.
* @param r Role trans query to set.
* @param symbol Limit query to rules with this type or attribute as
* their target, or NULL to unset this field.
* @param is_indirect If non-zero, perform indirect matching.
*
* @return 0 on success, negative on error.
*/
extern int apol_role_trans_query_set_target(const apol_policy_t * p, apol_role_trans_query_t * r, const char *symbol,
int is_indirect);
/**
* Set a role trans query to return rules with a particular default
* role. This field is ignored if
* apol_role_trans_query_set_source_any() is set to non-zero.
*
* @param p Policy handler, to report errors.
* @param r Role trans query to set.
* @param role Limit query to rules with this role as their default, or
* NULL to unset this field.
*
* @return 0 on success, negative on error.
*/
extern int apol_role_trans_query_set_default(const apol_policy_t * p, apol_role_trans_query_t * r, const char *role);
/**
* Set a role trans query to treat the source role as any. That is,
* use the same symbol for either source or default of a
* role_transition rule. This flag does nothing if the source role is
* not set. Note that a role_transition's target is a type, so thus
* this flag does not affect its searching.
*
* @param p Policy handler, to report errors.
* @param r Role trans query to set.
* @param is_any Non-zero to use source symbol for source or default
* field, 0 to keep source as only source.
*
* @return Always 0.
*/
extern int apol_role_trans_query_set_source_any(const apol_policy_t * p, apol_role_trans_query_t * r, int is_any);
/**
* Set a role trans query to use regular expression searching for
* source, target, and default fields. Strings will be treated as
* regexes instead of literals. For the target type, matching will
* occur against the type name or any of its aliases.
*
* @param p Policy handler, to report errors.
* @param r Role trans query to set.
* @param is_regex Non-zero to enable regex searching, 0 to disable.
*
* @return Always 0.
*/
extern int apol_role_trans_query_set_regex(const apol_policy_t * p, apol_role_trans_query_t * r, int is_regex);
/**
* Render a role_transition rule to a string.
*
* @param policy Policy handler, to report errors.
* @param rule The rule to render.
*
* @return A newly malloc()'d string representation of the rule, or NULL on
* failure; if the call fails, errno will be set. The caller is responsible
* for calling free() on the returned string.
*/
extern char *apol_role_trans_render(const apol_policy_t * policy, const qpol_role_trans_t * rule);
#ifdef __cplusplus
}
#endif
#endif
|