1b2441318SGreg Kroah-Hartman /* SPDX-License-Identifier: GPL-2.0 */ 21da177e4SLinus Torvalds /* 31da177e4SLinus Torvalds * A constraint is a condition that must be satisfied in 41da177e4SLinus Torvalds * order for one or more permissions to be granted. 51da177e4SLinus Torvalds * Constraints are used to impose additional restrictions 61da177e4SLinus Torvalds * beyond the type-based rules in `te' or the role-based 71da177e4SLinus Torvalds * transition rules in `rbac'. Constraints are typically 81da177e4SLinus Torvalds * used to prevent a process from transitioning to a new user 91da177e4SLinus Torvalds * identity or role unless it is in a privileged type. 101da177e4SLinus Torvalds * Constraints are likewise typically used to prevent a 111da177e4SLinus Torvalds * process from labeling an object with a different user 121da177e4SLinus Torvalds * identity. 131da177e4SLinus Torvalds * 14*0fe53224SStephen Smalley * Author : Stephen Smalley, <stephen.smalley.work@gmail.com> 151da177e4SLinus Torvalds */ 161da177e4SLinus Torvalds #ifndef _SS_CONSTRAINT_H_ 171da177e4SLinus Torvalds #define _SS_CONSTRAINT_H_ 181da177e4SLinus Torvalds 191da177e4SLinus Torvalds #include "ebitmap.h" 201da177e4SLinus Torvalds 211da177e4SLinus Torvalds #define CEXPR_MAXDEPTH 5 221da177e4SLinus Torvalds 231da177e4SLinus Torvalds struct constraint_expr { 241da177e4SLinus Torvalds #define CEXPR_NOT 1 /* not expr */ 251da177e4SLinus Torvalds #define CEXPR_AND 2 /* expr and expr */ 261da177e4SLinus Torvalds #define CEXPR_OR 3 /* expr or expr */ 271da177e4SLinus Torvalds #define CEXPR_ATTR 4 /* attr op attr */ 281da177e4SLinus Torvalds #define CEXPR_NAMES 5 /* attr op names */ 291da177e4SLinus Torvalds u32 expr_type; /* expression type */ 301da177e4SLinus Torvalds 311da177e4SLinus Torvalds #define CEXPR_USER 1 /* user */ 321da177e4SLinus Torvalds #define CEXPR_ROLE 2 /* role */ 331da177e4SLinus Torvalds #define CEXPR_TYPE 4 /* type */ 341da177e4SLinus Torvalds #define CEXPR_TARGET 8 /* target if set, source otherwise */ 351da177e4SLinus Torvalds #define CEXPR_XTARGET 16 /* special 3rd target for validatetrans rule */ 361da177e4SLinus Torvalds #define CEXPR_L1L2 32 /* low level 1 vs. low level 2 */ 371da177e4SLinus Torvalds #define CEXPR_L1H2 64 /* low level 1 vs. high level 2 */ 381da177e4SLinus Torvalds #define CEXPR_H1L2 128 /* high level 1 vs. low level 2 */ 391da177e4SLinus Torvalds #define CEXPR_H1H2 256 /* high level 1 vs. high level 2 */ 401da177e4SLinus Torvalds #define CEXPR_L1H1 512 /* low level 1 vs. high level 1 */ 411da177e4SLinus Torvalds #define CEXPR_L2H2 1024 /* low level 2 vs. high level 2 */ 421da177e4SLinus Torvalds u32 attr; /* attribute */ 431da177e4SLinus Torvalds 441da177e4SLinus Torvalds #define CEXPR_EQ 1 /* == or eq */ 451da177e4SLinus Torvalds #define CEXPR_NEQ 2 /* != */ 461da177e4SLinus Torvalds #define CEXPR_DOM 3 /* dom */ 471da177e4SLinus Torvalds #define CEXPR_DOMBY 4 /* domby */ 481da177e4SLinus Torvalds #define CEXPR_INCOMP 5 /* incomp */ 491da177e4SLinus Torvalds u32 op; /* operator */ 501da177e4SLinus Torvalds 511da177e4SLinus Torvalds struct ebitmap names; /* names */ 52a660bec1SRichard Haines struct type_set *type_names; 531da177e4SLinus Torvalds 541da177e4SLinus Torvalds struct constraint_expr *next; /* next expression */ 551da177e4SLinus Torvalds }; 561da177e4SLinus Torvalds 571da177e4SLinus Torvalds struct constraint_node { 581da177e4SLinus Torvalds u32 permissions; /* constrained permissions */ 591da177e4SLinus Torvalds struct constraint_expr *expr; /* constraint on permissions */ 601da177e4SLinus Torvalds struct constraint_node *next; /* next constraint */ 611da177e4SLinus Torvalds }; 621da177e4SLinus Torvalds 631da177e4SLinus Torvalds #endif /* _SS_CONSTRAINT_H_ */ 64