|
Chris PeBenito |
ca83af |
########################################
|
|
Chris PeBenito |
ca83af |
#
|
|
Chris PeBenito |
ca83af |
# Macros for switching between source policy
|
|
Chris PeBenito |
ca83af |
# and loadable policy module support
|
|
Chris PeBenito |
ca83af |
#
|
|
Chris PeBenito |
ca83af |
|
|
Chris PeBenito |
ca83af |
##############################
|
|
Chris PeBenito |
ca83af |
#
|
|
Chris PeBenito |
ca83af |
# For adding the module statement
|
|
Chris PeBenito |
ca83af |
#
|
|
Chris PeBenito |
ca83af |
define(`policy_module',`
|
|
Chris PeBenito |
c54686 |
ifndef(`self_contained_policy',`
|
|
Chris PeBenito |
254bbc |
module $1 $2;
|
|
Chris PeBenito |
c04f2a |
|
|
Chris PeBenito |
0efe52 |
require {
|
|
Chris PeBenito |
0efe52 |
role system_r;
|
|
Chris PeBenito |
0efe52 |
all_kernel_class_perms
|
|
Chris PeBenito |
0efe52 |
}
|
|
Chris PeBenito |
4b8c54 |
')
|
|
Chris PeBenito |
ca83af |
')
|
|
Chris PeBenito |
ca83af |
|
|
Chris PeBenito |
ca83af |
##############################
|
|
Chris PeBenito |
ca83af |
#
|
|
Chris PeBenito |
fa7bea |
# For use in interfaces, to optionally insert a require block
|
|
Chris PeBenito |
ca83af |
#
|
|
Chris PeBenito |
fa7bea |
define(`gen_require',`
|
|
Chris PeBenito |
0db866 |
ifdef(`self_contained_policy',`
|
|
Chris PeBenito |
0db866 |
ifdef(`__in_optional_policy',`
|
|
Chris PeBenito |
0db866 |
require {
|
|
Chris PeBenito |
0db866 |
$1
|
|
Chris PeBenito |
0db866 |
} # end require
|
|
Chris PeBenito |
0db866 |
')
|
|
Chris PeBenito |
0db866 |
',`
|
|
Chris PeBenito |
254bbc |
require {
|
|
Chris PeBenito |
254bbc |
$1
|
|
Chris PeBenito |
0db866 |
} # end require
|
|
Chris PeBenito |
254bbc |
')
|
|
Chris PeBenito |
254bbc |
')
|
|
Chris PeBenito |
ca83af |
|
|
Chris PeBenito |
0176d1 |
# helper function, since m4 wont expand macros
|
|
Chris PeBenito |
0176d1 |
# if a line is a comment (#):
|
|
Chris PeBenito |
0176d1 |
define(`policy_m4_comment',`
|
|
Chris PeBenito |
0176d1 |
##### $2 depth: $1
|
|
Chris PeBenito |
0176d1 |
')dnl
|
|
Chris PeBenito |
0176d1 |
|
|
Chris PeBenito |
ca83af |
##############################
|
|
Chris PeBenito |
ca83af |
#
|
|
Chris PeBenito |
199895 |
# In the future interfaces should be in loadable modules
|
|
Chris PeBenito |
a9ec54 |
#
|
|
Chris PeBenito |
199895 |
# template(name,rules)
|
|
Chris PeBenito |
a9ec54 |
#
|
|
Chris PeBenito |
0176d1 |
define(`template',` dnl
|
|
Chris PeBenito |
5706fa |
ifdef(`$1',`errprint(__file__:__line__`: duplicate definition of $1(). Original definition on '$1. __endline__) define(`__if_error')',`define(`$1',__line__)') dnl
|
|
Chris PeBenito |
0176d1 |
`define(`$1',` dnl
|
|
Chris PeBenito |
0176d1 |
define(`policy_temp',incr(policy_call_depth)) dnl
|
|
Chris PeBenito |
0176d1 |
pushdef(`policy_call_depth',policy_temp) dnl
|
|
Chris PeBenito |
0176d1 |
undefine(`policy_temp') dnl
|
|
Chris PeBenito |
0176d1 |
policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
|
|
Chris PeBenito |
0176d1 |
$2 dnl
|
|
Chris PeBenito |
0176d1 |
define(`policy_temp',decr(policy_call_depth)) dnl
|
|
Chris PeBenito |
0176d1 |
pushdef(`policy_call_depth',policy_temp) dnl
|
|
Chris PeBenito |
0176d1 |
undefine(`policy_temp') dnl
|
|
Chris PeBenito |
0176d1 |
policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl
|
|
Chris PeBenito |
199895 |
'')
|
|
Chris PeBenito |
a9ec54 |
')
|
|
Chris PeBenito |
a9ec54 |
|
|
Chris PeBenito |
199895 |
##############################
|
|
Chris PeBenito |
199895 |
#
|
|
Chris PeBenito |
199895 |
# In the future interfaces should be in loadable modules
|
|
Chris PeBenito |
199895 |
#
|
|
Chris PeBenito |
199895 |
# interface(name,rules)
|
|
Chris PeBenito |
199895 |
#
|
|
Chris PeBenito |
0176d1 |
define(`interface',` dnl
|
|
Chris PeBenito |
5706fa |
ifdef(`$1',`errprint(__file__:__line__`: duplicate definition of $1(). Original definition on '$1. __endline__) define(`__if_error')',`define(`$1',__line__)') dnl
|
|
Chris PeBenito |
0176d1 |
`define(`$1',` dnl
|
|
Chris PeBenito |
0176d1 |
define(`policy_temp',incr(policy_call_depth)) dnl
|
|
Chris PeBenito |
0176d1 |
pushdef(`policy_call_depth',policy_temp) dnl
|
|
Chris PeBenito |
0176d1 |
undefine(`policy_temp') dnl
|
|
Chris PeBenito |
0176d1 |
policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
|
|
Chris PeBenito |
199895 |
$2
|
|
Chris PeBenito |
0176d1 |
define(`policy_temp',decr(policy_call_depth)) dnl
|
|
Chris PeBenito |
0176d1 |
pushdef(`policy_call_depth',policy_temp) dnl
|
|
Chris PeBenito |
0176d1 |
undefine(`policy_temp') dnl
|
|
Chris PeBenito |
0176d1 |
policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl
|
|
Chris PeBenito |
199895 |
'')
|
|
Chris PeBenito |
199895 |
')
|
|
Chris PeBenito |
199895 |
|
|
Chris PeBenito |
199895 |
define(`policy_call_depth',0)
|
|
Chris PeBenito |
199895 |
|
|
Chris PeBenito |
a9ec54 |
##############################
|
|
Chris PeBenito |
a9ec54 |
#
|
|
Chris PeBenito |
ca83af |
# Optional policy handling
|
|
Chris PeBenito |
ca83af |
#
|
|
Chris PeBenito |
ca83af |
define(`optional_policy',`
|
|
Chris PeBenito |
bb7170 |
ifelse(regexp(`$1',`\W'),`-1',`
|
|
Chris PeBenito |
bb7170 |
errprint(__file__:__line__`: deprecated use of module name ($1) as first parameter of optional_policy() block.' __endline__)
|
|
Chris PeBenito |
4f447b |
optional_policy(shift($*))
|
|
Chris PeBenito |
bb7170 |
',`
|
|
Chris PeBenito |
4f447b |
optional {`'pushdef(`__in_optional_policy')
|
|
Chris PeBenito |
bb7170 |
$1
|
|
Chris PeBenito |
c54686 |
ifelse(`$2',`',`',`} else {
|
|
Chris PeBenito |
bb7170 |
$2
|
|
Chris PeBenito |
c54686 |
')}`'popdef(`__in_optional_policy')`'ifndef(`__in_optional_policy',` # end optional')
|
|
Chris PeBenito |
254bbc |
')
|
|
Chris PeBenito |
254bbc |
')
|
|
Chris PeBenito |
ca83af |
|
|
Chris PeBenito |
ca83af |
##############################
|
|
Chris PeBenito |
ca83af |
#
|
|
Chris PeBenito |
ddea18 |
# Determine if we should use the default
|
|
Chris PeBenito |
ddea18 |
# tunable value as specified by the policy
|
|
Chris PeBenito |
ddea18 |
# or if the override value should be used
|
|
Chris PeBenito |
ddea18 |
#
|
|
Chris PeBenito |
31908b |
define(`dflt_or_overr',`ifdef(`$1',$1,$2)')
|
|
Chris PeBenito |
ddea18 |
|
|
Chris PeBenito |
ddea18 |
##############################
|
|
Chris PeBenito |
ddea18 |
#
|
|
Chris PeBenito |
25c674 |
# Extract booleans out of an expression.
|
|
Chris PeBenito |
25c674 |
# This needs to be reworked so expressions
|
|
Chris PeBenito |
25c674 |
# with parentheses can work.
|
|
Chris PeBenito |
25c674 |
|
|
Chris PeBenito |
25c674 |
define(`delcare_required_symbols',`
|
|
Chris PeBenito |
25c674 |
ifelse(regexp($1, `\w'), -1, `', `dnl
|
|
Chris PeBenito |
25c674 |
bool regexp($1, `\(\w+\)', `\1');
|
|
Chris PeBenito |
25c674 |
delcare_required_symbols(regexp($1, `\w+\(.*\)', `\1'))dnl
|
|
Chris PeBenito |
25c674 |
') dnl
|
|
Chris PeBenito |
25c674 |
')
|
|
Chris PeBenito |
25c674 |
|
|
Chris PeBenito |
25c674 |
##############################
|
|
Chris PeBenito |
25c674 |
#
|
|
Chris PeBenito |
ddea18 |
# Tunable declaration
|
|
Chris PeBenito |
ddea18 |
#
|
|
Chris PeBenito |
31908b |
define(`gen_tunable',`
|
|
Chris PeBenito |
25c674 |
ifdef(`self_contained_policy',`
|
|
Chris PeBenito |
25c674 |
bool $1 dflt_or_overr(`$1'_conf,$2);
|
|
Chris PeBenito |
3110de |
',`
|
|
Chris PeBenito |
25c674 |
# loadable module tunable
|
|
Chris PeBenito |
25c674 |
# declaration will go here
|
|
Chris PeBenito |
25c674 |
# instead of bool when
|
|
Chris PeBenito |
25c674 |
# loadable modules support
|
|
Chris PeBenito |
25c674 |
# tunables
|
|
Chris PeBenito |
25c674 |
bool $1 dflt_or_overr(`$1'_conf,$2);
|
|
Chris PeBenito |
3110de |
')
|
|
Chris PeBenito |
ddea18 |
')
|
|
Chris PeBenito |
ddea18 |
|
|
Chris PeBenito |
ddea18 |
##############################
|
|
Chris PeBenito |
ddea18 |
#
|
|
Chris PeBenito |
ca83af |
# Tunable policy handling
|
|
Chris PeBenito |
ca83af |
#
|
|
Chris PeBenito |
ca83af |
define(`tunable_policy',`
|
|
Chris PeBenito |
0e15cd |
ifdef(`self_contained_policy',`
|
|
Chris PeBenito |
254bbc |
if (`$1') {
|
|
Chris PeBenito |
254bbc |
$2
|
|
Chris PeBenito |
c54686 |
ifelse(`$3',`',`',`} else {
|
|
Chris PeBenito |
254bbc |
$3
|
|
Chris PeBenito |
c54686 |
')}
|
|
Chris PeBenito |
3110de |
',`
|
|
Chris PeBenito |
3110de |
# structure for tunables
|
|
Chris PeBenito |
3110de |
# will go here instead of a
|
|
Chris PeBenito |
3110de |
# conditional when loadable
|
|
Chris PeBenito |
3110de |
# modules support tunables
|
|
Chris PeBenito |
25c674 |
gen_require(`
|
|
Chris PeBenito |
25c674 |
delcare_required_symbols(`$1')
|
|
Chris PeBenito |
25c674 |
')
|
|
Chris PeBenito |
6d1227 |
if (`$1') {
|
|
Chris PeBenito |
3110de |
$2
|
|
Chris PeBenito |
c54686 |
ifelse(`$3',`',`',`} else {
|
|
Chris PeBenito |
3110de |
$3
|
|
Chris PeBenito |
c54686 |
')}
|
|
Chris PeBenito |
3110de |
')
|
|
Chris PeBenito |
254bbc |
')
|