/usr/include/poldiff/poldiff.h is in libpoldiff-dev 3.3.8+20151215-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 | /**
* @file
* Public interface for computing semantic policy differences
* between two policies. The user loads two policies, the "original"
* and "modified" policies, and then calls poldiff_create() to obtain
* a poldiff object. Next call poldiff_run() to actually execute the
* differencing algorithm. Results are retrieved via
* poldiff_get_type_vector(), poldiff_get_avrule_vector(), and so
* forth.
*
* @author Jeremy A. Mowery jmowery@tresys.com
* @author Jason Tang jtang@tresys.com
*
* Copyright (C) 2006-2007 Tresys Technology, LLC
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#ifndef POLDIFF_POLDIFF_H
#define POLDIFF_POLDIFF_H
#ifdef __cplusplus
extern "C"
{
#endif
#include <apol/policy.h>
#include <apol/policy-query.h>
#include <apol/vector.h>
#include <stdarg.h>
#include <stdint.h>
typedef struct poldiff poldiff_t;
/**
* Form of a difference. This enumeration describes the kind of change
* in a policy component or rule from policy1 to policy2.
* Differences can be additions (item present only in policy2),
* removals (item present only in policy1) or a modification
* (item present in both policies with different semantic meaning).
* For rules there are two more options - added or removed due to a
* type being added or removed; these forms differentiate these cases
* from those of added/removed rules where the types exist in both policies.
*/
typedef enum poldiff_form
{
/** only for error conditions */
POLDIFF_FORM_NONE,
/** item was added - only in policy 2 */
POLDIFF_FORM_ADDED,
/** item was removed - only in policy 1 */
POLDIFF_FORM_REMOVED,
/** item was modified - in both policies but with different meaning */
POLDIFF_FORM_MODIFIED,
/** item was added due to an added type - for rules only */
POLDIFF_FORM_ADD_TYPE,
/** item was removed due to a removed type - for rules only */
POLDIFF_FORM_REMOVE_TYPE
} poldiff_form_e;
typedef void (*poldiff_handle_fn_t) (void *arg, const poldiff_t * diff, int level, const char *fmt, va_list va_args);
#include <poldiff/attrib_diff.h>
#include <poldiff/avrule_diff.h>
#include <poldiff/cat_diff.h>
#include <poldiff/bool_diff.h>
#include <poldiff/class_diff.h>
#include <poldiff/level_diff.h>
#include <poldiff/range_diff.h>
#include <poldiff/range_trans_diff.h>
#include <poldiff/rbac_diff.h>
#include <poldiff/role_diff.h>
#include <poldiff/terule_diff.h>
#include <poldiff/type_diff.h>
#include <poldiff/user_diff.h>
#include <poldiff/type_map.h>
#include <poldiff/util.h>
/* NOTE: while defined OCONS are not currently supported */
#define POLDIFF_DIFF_CLASSES 0x00000001U
#define POLDIFF_DIFF_COMMONS 0x00000002U
#define POLDIFF_DIFF_TYPES 0x00000004U
#define POLDIFF_DIFF_ATTRIBS 0x00000008U
#define POLDIFF_DIFF_ROLES 0x00000010U
#define POLDIFF_DIFF_USERS 0x00000020U
#define POLDIFF_DIFF_BOOLS 0x00000040U
#define POLDIFF_DIFF_LEVELS 0x00000080U
#define POLDIFF_DIFF_CATS 0x00000100U
#define POLDIFF_DIFF_ROLE_ALLOWS 0x00000800U
#define POLDIFF_DIFF_ROLE_TRANS 0x00001000U
#define POLDIFF_DIFF_RANGE_TRANS 0x00002000U
#define POLDIFF_DIFF_AVALLOW 0x10000000U
#define POLDIFF_DIFF_AVAUDITALLOW 0x20000000U
#define POLDIFF_DIFF_AVDONTAUDIT 0x40000000U
#define POLDIFF_DIFF_AVNEVERALLOW 0x80000000U
#define POLDIFF_DIFF_TECHANGE 0x01000000U
#define POLDIFF_DIFF_TEMEMBER 0x02000000U
#define POLDIFF_DIFF_TETRANS 0x04000000U
#define POLDIFF_DIFF_TERULES_COMPAT 0x00000400U /**< deprecated */
#define POLDIFF_DIFF_AVRULES_COMPAT 0x00000200U /**< deprecated */
#define POLDIFF_DIFF_AVRULES (POLDIFF_DIFF_AVALLOW | POLDIFF_DIFF_AVNEVERALLOW | POLDIFF_DIFF_AVAUDITALLOW | POLDIFF_DIFF_AVDONTAUDIT)
#define POLDIFF_DIFF_TERULES (POLDIFF_DIFF_TEMEMBER | POLDIFF_DIFF_TECHANGE | POLDIFF_DIFF_TETRANS)
/*
* Add ocons here and modify POLDIFF_DIFF_OCONS below
* #define POLDIFF_DIFF_ *
*/
#define POLDIFF_DIFF_SYMBOLS (POLDIFF_DIFF_CLASSES|POLDIFF_DIFF_COMMONS|POLDIFF_DIFF_TYPES|POLDIFF_DIFF_ATTRIBS|POLDIFF_DIFF_ROLES|POLDIFF_DIFF_USERS|POLDIFF_DIFF_BOOLS)
#define POLDIFF_DIFF_RULES (POLDIFF_DIFF_AVRULES|POLDIFF_DIFF_TERULES|POLDIFF_DIFF_ROLE_ALLOWS|POLDIFF_DIFF_ROLE_TRANS)
#define POLDIFF_DIFF_RBAC (POLDIFF_DIFF_ROLES|POLDIFF_DIFF_ROLE_ALLOWS|POLDIFF_DIFF_ROLE_TRANS)
#define POLDIFF_DIFF_MLS (POLDIFF_DIFF_LEVELS|POLDIFF_DIFF_CATS|POLDIFF_DIFF_RANGE_TRANS)
#define POLDIFF_DIFF_OCONS 0
#define POLDIFF_DIFF_REMAPPED (POLDIFF_DIFF_TYPES|POLDIFF_DIFF_ATTRIBS|POLDIFF_DIFF_AVRULES|POLDIFF_DIFF_TERULES|POLDIFF_DIFF_ROLES|POLDIFF_DIFF_ROLE_TRANS|POLDIFF_DIFF_RANGE_TRANS|POLDIFF_DIFF_OCONS)
#define POLDIFF_DIFF_ALL (POLDIFF_DIFF_SYMBOLS|POLDIFF_DIFF_RULES|POLDIFF_DIFF_MLS|POLDIFF_DIFF_OCONS)
/**
* Allocate and initialize a new policy difference structure. This
* function takes ownership of the supplied policies and will handle
* their destruction upon poldiff_destroy(). The poldiff object will
* be responsible for rebuilding the policy (such as if neverallows
* are requested). It is still safe to access elements within the
* policies, but avoid making changes to the policy while the poldiff
* object still exists.
* @param orig_policy The original policy.
* @param mod_policy The new (modified) policy.
* @param fn Function to be called by the error handler. If NULL
* then write messages to standard error.
* @param callback_arg Argument for the callback.
* @return a newly allocated and initialized difference structure or
* NULL on error; if the call fails, errno will be set.
* The caller is responsible for calling poldiff_destroy() to free
* memory used by this structure.
*/
extern poldiff_t *poldiff_create(apol_policy_t * orig_policy,
apol_policy_t * mod_policy, poldiff_handle_fn_t fn, void *callback_arg);
/**
* Free all memory used by a policy difference structure and set it to NULL.
* @param diff Reference pointer to the difference structure to destroy.
* This pointer will be set to NULL. (If already NULL, function is a no-op.)
*/
extern void poldiff_destroy(poldiff_t ** diff);
/**
* Run the difference algorithm for the selected policy components/rules.
* @param diff The policy difference structure for which to compute
* the differences.
* @param flags Bit-wise or'd set of POLDIFF_DIFF_* from above indicating
* the components and rules for which to compute the difference.
* If an item has already been computed the flag for that item is ignored.
* @return 0 on success or < 0 on error; if the call fails, errno will
* be set and the only defined operation on the difference structure is
* poldiff_destroy().
*/
extern int poldiff_run(poldiff_t * diff, uint32_t flags);
/**
* Determine if a particular policy component/rule diff was actually
* run yet or not.
* @param diff The policy difference structure for which to compute
* the differences.
* @param flags Bit-wise or'd set of POLDIFF_DIFF_* from above indicating
* which components/rules diffs were run.
* @return 1 if all indicated diffs were run, 0 if any were not, < 0
* on error.
*/
extern int poldiff_is_run(const poldiff_t * diff, uint32_t flags);
/**
* Get a total of the differences of each form for a given item (or set
* of items).
* @param diff The policy difference structure from which to get the stats.
* @param flags Bit-wise or'd set of POLDIFF_DIFF_* from above indicating
* the items for which to get the total differences. If more that one bit
* is set differences of the same form are totaled for all specified items.
* @param stats Array into which to write the numbers (array must be
* pre-allocated). The order of the values written to the array is as follows:
* number of items of form POLDIFF_FORM_ADDED, number of POLDIFF_FORM_REMOVED,
* number of POLDIFF_FORM_MODIFIED, number of form POLDIFF_FORM_ADD_TYPE, and
* number of POLDIFF_FORM_REMOVE_TYPE.
* @return 0 on success and < 0 on error; if the call fails, errno will be set.
*/
extern int poldiff_get_stats(const poldiff_t * diff, uint32_t flags, size_t stats[5]);
/**
* Enable line numbers for all rule differences. If not called, line
* numbers will not be available when displaying differences. This
* function is safe to call multiple times and will have no effect
* after the first time. It also has no effect if one policy (or
* both of them) does not support line numbers. Be aware that line
* numbers will need to be re-enabled each time poldiff_run() is
* called.
*
* @param diff The policy difference structure.
*
* @return 0 on success and < 0 on failure; if the call fails,
* errno will be set and the difference structure should be destroyed.
*/
extern int poldiff_enable_line_numbers(poldiff_t * diff);
#ifdef __cplusplus
}
#endif
#endif /* POLDIFF_POLDIFF_H */
|