apparmor/parser/policydb.h

/*
 * Copyright 2012 Canonical Ltd.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, version 2 of the
 * License.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 */

#ifndef __AA_POLICYDB_H
#define __AA_POLICYDB_H

/*
 * Class of private mediation types in the AppArmor policy db
 *
 * See libapparmor's apparmor.h for public mediation types
 */
#define AA_CLASS_COND		0
#define AA_CLASS_UNKNOWN	1
#define AA_CLASS_FILE		2
#define AA_CLASS_CAP		3
#define AA_CLASS_NET		4
#define AA_CLASS_RLIMITS	5
#define AA_CLASS_DOMAIN		6
#define AA_CLASS_MOUNT		7
#define AA_CLASS_NS_DOMAIN	8
#define AA_CLASS_PTRACE		9
#define AA_CLASS_SIGNAL		10
#define AA_CLASS_NETV8		14
#define AA_CLASS_LABEL		16
#define AA_CLASS_POSIX_MQUEUE	17
#define AA_CLASS_SYSV_MQUEUE	18
#define AA_CLASS_NS		21

/* defined in libapparmor's apparmor.h #define AA_CLASS_DBUS 32 */
#define AA_CLASS_X		33

#endif /* __AA_POLICYDB_H */
Add Basic infrastructure support for the policydb policydb is the new matching format, that combines the matching portions of different rules into a single dfa/hfa. This patch only lays some ground work it does not add encoding of any rules into the policydb Signed-off-by: John Johansen <john.johansen@canonical.com> 2012-02-16 08:14:46 -08:00			`/*`
			`* Copyright 2012 Canonical Ltd.`
			`*`
			`* This program is free software; you can redistribute it and/or`
			`* modify it under the terms of the GNU General Public License as`
			`* published by the Free Software Foundation, version 2 of the`
			`* License.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`*/`

			`#ifndef __AA_POLICYDB_H`
			`#define __AA_POLICYDB_H`

			`/*`
Move public mediation class types and perms to apparmor.h Now that the parser links against libapparmor, it makes sense to move all public permission types and flags to libapparmor's apparmor.h. This prevents duplication across header files for the parser and libapparmor. Additionally, this patch breaks the connection between AA_DBUS_{SEND,RECEIVE,BIND} and AA_MAY_{WRITE,READ,BIND} by using raw values when defining the AA_DBUS_{SEND,RECEIVE,BIND} macros. This makes sense because the two sets of permission flags are from two distinctly different mediation types (AA_CLASS_DBUS and AA_CLASS_FILE). While it is nice that they share some of the same values, the macros don't need to be linked together. In other words, when you're creating a D-Bus rule, it would be incorrect to use permission flags from the AA_CLASS_FILE type. The change mentioned above allows the AA_MAY_{WRITE,READ,BIND} macros to be removed from public-facing apparmor.h header. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2013-12-06 11:20:06 -08:00			`* Class of private mediation types in the AppArmor policy db`
			`*`
			`* See libapparmor's apparmor.h for public mediation types`
Add Basic infrastructure support for the policydb policydb is the new matching format, that combines the matching portions of different rules into a single dfa/hfa. This patch only lays some ground work it does not add encoding of any rules into the policydb Signed-off-by: John Johansen <john.johansen@canonical.com> 2012-02-16 08:14:46 -08:00			`*/`
			`#define AA_CLASS_COND 0`
			`#define AA_CLASS_UNKNOWN 1`
			`#define AA_CLASS_FILE 2`
			`#define AA_CLASS_CAP 3`
			`#define AA_CLASS_NET 4`
			`#define AA_CLASS_RLIMITS 5`
			`#define AA_CLASS_DOMAIN 6`
			`#define AA_CLASS_MOUNT 7`
			`#define AA_CLASS_NS_DOMAIN 8`
			`#define AA_CLASS_PTRACE 9`
Add the ability to mediate signals. Add signal rules and make sure the parser encodes support for them if the supported feature set reports supporting them. The current format of the signal rule is [audit] [deny] signal [<signal_perms>] [<signal_set>] <target_profile>, signal_perm := 'send'\|'receive'\|'r'\|'w'\|'rw' signal_perms := <signal_perm> \| '(' <signal_perm> ([,]<signal_perm>)* ')' signal := ("hup"\|"int"\|"quit"\|"ill"\|"trap"\|"abrt"\|"bus"\|"fpe"\|"kill"\| "usr1"\|"segv"\|"usr2"\|"pipe"\|"alrm"\|"term"\|"tkflt"\|"chld"\| "cont"\|"stop"\|"stp"\|"ttin"\|"ttou"\|"urg"\|"xcpu"\|"xfsz"\|"vtalrm"\| "prof"\|"winch"\|"io"\|"pwr"\|"sys"\|"emt"\|"exists") signal_set := set=<signal> \| '(' <signal> ([,]<signal>)* ')' it does not currently follow the peer=() format, and there is some question as to whether it should or not. Input welcome. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2014-04-23 11:35:29 -07:00			`#define AA_CLASS_SIGNAL 10`
parser: add support for kernel 4.17 v8 networking Make it so the parser can properly support network socket mediation in the upstream kernel, MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/521 Signed-off-by: John Johansen <john.johansen@canonical.com> 2018-07-24 04:40:25 -07:00			`#define AA_CLASS_NETV8 14`
The label class is used to lookup object permissions based off of label alone when the labeling is not path dependent. Some rules will not generate label entries, some will generate only label entries and some will generate both label and path entries. This is left to the particular rule encoding. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2014-04-23 11:02:25 -07:00			`#define AA_CLASS_LABEL 16`
parser: add parser support for message queue mediation Message queue rules take the following format: mqueue [<access_mode>] [<type>] [<label>] [<mqueue name>], access_mode := 'r'\|'w'\|'rw'\|'read'\|'write'\| 'create'\|'open'\|'delete'\| 'getattr'\|'setattr' type := 'type' '=' ('posix'\|'sysv') label := 'label' '=' <target label> Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-02-07 19:15:11 -03:00			`#define AA_CLASS_POSIX_MQUEUE 17`
			`#define AA_CLASS_SYSV_MQUEUE 18`
parser: add support for user namespace creation Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> 2022-09-29 17:40:18 -03:00			`#define AA_CLASS_NS 21`
Add Basic infrastructure support for the policydb policydb is the new matching format, that combines the matching portions of different rules into a single dfa/hfa. This patch only lays some ground work it does not add encoding of any rules into the policydb Signed-off-by: John Johansen <john.johansen@canonical.com> 2012-02-16 08:14:46 -08:00
The label class is used to lookup object permissions based off of label alone when the labeling is not path dependent. Some rules will not generate label entries, some will generate only label entries and some will generate both label and path entries. This is left to the particular rule encoding. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2014-04-23 11:02:25 -07:00			`/* defined in libapparmor's apparmor.h #define AA_CLASS_DBUS 32 */`
Add Basic infrastructure support for the policydb policydb is the new matching format, that combines the matching portions of different rules into a single dfa/hfa. This patch only lays some ground work it does not add encoding of any rules into the policydb Signed-off-by: John Johansen <john.johansen@canonical.com> 2012-02-16 08:14:46 -08:00			`#define AA_CLASS_X 33`

			`#endif /* __AA_POLICYDB_H */`