forked from google/kafel
-
Notifications
You must be signed in to change notification settings - Fork 0
/
policy.h
84 lines (64 loc) · 2.16 KB
/
policy.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
/*
Kafel - policy
-----------------------------------------
Copyright 2016 Google Inc. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef KAFEL_POLICY_H
#define KAFEL_POLICY_H
#include <stdint.h>
#include <sys/queue.h>
#include "expression.h"
struct syscall_filter {
uint32_t syscall_nr;
struct expr_tree* expr;
TAILQ_ENTRY(syscall_filter) filters;
};
TAILQ_HEAD(filterslist, syscall_filter);
enum { POLICY_USE, POLICY_ACTION };
enum {
ACTION_KILL = 1,
ACTION_ALLOW,
ACTION_BASIC_MAX = ACTION_ALLOW,
ACTION_TRAP = 0x10000,
ACTION_ERRNO = 0x20000,
ACTION_TRACE = 0x40000,
};
struct policy_entry {
int type;
union {
struct {
uint32_t action;
struct filterslist filters;
};
struct policy* used;
};
TAILQ_ENTRY(policy_entry) entries;
};
TAILQ_HEAD(entrieslist, policy_entry);
struct policy {
char* name;
struct entrieslist entries;
TAILQ_ENTRY(policy) policies;
};
TAILQ_HEAD(policieslist, policy);
struct policy* policy_create(const char* name, struct entrieslist* entries);
void policy_destroy(struct policy** policy);
struct policy_entry* policy_action_create(uint32_t action,
struct filterslist* filters);
struct policy_entry* policy_use_create(struct policy* used);
void policy_entry_destroy(struct policy_entry** entry);
void policy_entries_destroy(struct entrieslist* entries);
struct syscall_filter* syscall_filter_create(uint32_t nr,
struct expr_tree* expr);
void syscall_filter_destroy(struct syscall_filter** filter);
void syscall_filters_destroy(struct filterslist* filters);
#endif /* KAFEL_POLICY_H */