blob: b783515f1ddd53c6d86384c7aaf6e514f7fc70b0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
<!-- Common Interface Language (CIL) Reference Guide -->
<!-- call_macro_statements.xml -->
<sect1>
<title>Call / Macro Statements</title>
<sect2 id="call">
<title>call</title>
<para>Instantiate a <link linkend="macro">macro</link> within the current namespace. There may be zero or more parameters passed to the macro (with zero parameters this is similar to the <literal><link linkend="blockinherit">blockinherit</link></literal> (<literal><link linkend="call">call</link></literal>) / <literal><link linkend="blockabstract">blockabstract</link></literal> (<literal><link linkend="macro">macro</link></literal>) statements).</para>
<para>Each parameter passed contains an argument to be resolved by the <link linkend="macro">macro</link>, these can be named or anonymous but must conform to the parameter types defined in the <literal><link linkend="macro">macro</link></literal> statement.</para>
<para><emphasis role="bold">Statement definition:</emphasis></para>
<programlisting><![CDATA[(call macro_id [(param ...)])]]></programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
<informaltable frame="all">
<tgroup cols="2">
<colspec colwidth="2 *"/>
<colspec colwidth="6 *"/>
<tbody>
<row>
<entry>
<para><literal><link linkend="call">call</link></literal></para>
</entry>
<entry>
<para>The <literal><link linkend="call">call</link></literal> keyword.</para>
</entry>
</row>
<row>
<entry>
<para><literal>macro_id</literal></para>
</entry>
<entry>
<para>The identifier of the <literal><link linkend="macro">macro</link></literal> to be instantiated.</para>
</entry>
</row>
<row>
<entry>
<para><literal>param</literal></para>
</entry>
<entry>
<para>Zero or more parameters that are passed to the macro.</para>
</entry>
</row>
</tbody></tgroup>
</informaltable>
<para><emphasis role="bold">Example:</emphasis></para>
<para>See the <literal><link linkend="macro">macro</link></literal> statement for an example.</para>
</sect2>
<sect2 id="macro">
<title>macro</title>
<para>Declare a macro in the current namespace with its associated parameters. The macro identifier is used by the <literal><link linkend="call">call</link></literal> statement to instantiate the macro and resolve any parameters. The call statement may be within the body of a macro.</para>
<para>Note that when resolving macros the callers namespace is not checked, only the following places:
<itemizedlist>
<listitem><simpara>Items defined inside the macro</simpara></listitem>
<listitem><simpara>Items passed into the macro as arguments</simpara></listitem>
<listitem><simpara>Items defined in the same namespace of the macro</simpara></listitem>
<listitem><simpara>Items defined in the global namespace</simpara></listitem>
</itemizedlist>
</para>
<para><emphasis role="bold">Statement definition:</emphasis></para>
<programlisting><![CDATA[
(macro macro_id ([(param_type param_id) ...])
cil_statements
...
)]]>
</programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
<informaltable frame="all">
<tgroup cols="2">
<colspec colwidth="2 *"/>
<colspec colwidth="6 *"/>
<tbody>
<row>
<entry>
<para><literal><link linkend="macro">macro</link></literal></para>
</entry>
<entry>
<para>The <literal><link linkend="macro">macro</link></literal> keyword.</para>
</entry>
</row>
<row>
<entry>
<para><literal>macro_id</literal></para>
</entry>
<entry>
<para>The <literal><link linkend="macro">macro</link></literal> identifier.</para>
</entry>
</row>
<row>
<entry>
<para><literal>param_type</literal></para>
</entry>
<entry>
<para>Zero or more parameters that are passed to the macro. The <literal>param_type</literal> is a keyword used to determine the declaration type (e.g. <literal>type</literal>, <literal>class</literal>, <literal>categoryset</literal>).</para>
<para>The list of valid <literal>param_type</literal> entries are:
<simplelist type="inline">
<member><literal><link linkend="type">type</link></literal></member>
<member><literal><link linkend="typealias">typealias</link></literal></member>
<member><literal><link linkend="role">role</link></literal></member>
<member><literal><link linkend="user">user</link></literal></member>
<member><literal><link linkend="sensitivity">sensitivity</link></literal></member>
<member><literal><link linkend="sensitivityalias">sensitivityalias</link></literal></member>
<member><literal><link linkend="category">category</link></literal></member>
<member><literal><link linkend="categoryalias">categoryalias</link></literal></member>
<member><literal><link linkend="categoryset">categoryset</link></literal> (named or anonymous)</member>
<member><literal><link linkend="level">level</link></literal> (named or anonymous)</member>
<member><literal><link linkend="levelrange">levelrange</link></literal> (named or anonymous)</member>
<member><literal><link linkend="class">class</link></literal></member>
<member><literal><link linkend="classpermission">classpermission</link></literal> (named or anonymous)</member>
<member><literal><link linkend="ipaddr">ipaddr</link></literal> (named or anonymous)</member>
<member><literal><link linkend="boolean">block</link></literal></member>
<member><literal><link linkend="name">name</link></literal> (a string)</member>
<member><literal><link linkend="classmap">classmap</link></literal></member>
</simplelist></para>
</entry>
</row>
<row>
<entry>
<para><literal>param_id</literal></para>
</entry>
<entry>
<para>The parameter identifier used to reference the entry within the macro body (e.g. <literal>ARG1</literal>).</para>
</entry>
</row>
<row>
<entry>
<para><literal>cil_statement</literal></para>
</entry>
<entry>
<para>Zero or more valid CIL statements.</para>
</entry>
</row>
</tbody></tgroup>
</informaltable>
<para><emphasis role="bold">Examples:</emphasis></para>
<para>This example will instantiate the <literal>binder_call</literal> macro in the calling namespace (<literal>my_domain</literal>) and replace <literal>ARG1</literal> with <literal>appdomain</literal> and <literal>ARG2</literal> with <literal>binderservicedomain</literal>:</para>
<programlisting><![CDATA[
(block my_domain
(call binder_call (appdomain binderservicedomain))
)
(macro binder_call ((type ARG1) (type ARG2))
(allow ARG1 ARG2 (binder (call transfer)))
(allow ARG2 ARG1 (binder (transfer)))
(allow ARG1 ARG2 (fd (use)))
)]]>
</programlisting>
<para>This example does not pass any parameters to the macro but adds a <literal>type</literal> identifier to the current namespace:</para>
<programlisting><![CDATA[
(block unconfined
(call add_type)
....
(macro add_type ()
(type exec)
)
)]]>
</programlisting>
<para>This example passes an anonymous and named IP address to the macro:</para>
<programlisting><![CDATA[
(ipaddr netmask_1 255.255.255.0)
(context netlabel_1 (system.user object_r unconfined.object low_low)
(call build_nodecon ((192.168.1.64) netmask_1))
(macro build_nodecon ((ipaddr ARG1) (ipaddr ARG2))
(nodecon ARG1 ARG2 netlabel_1)
)]]>
</programlisting>
</sect2>
</sect1>
|
