-void init_policy(struct policy *p);
-void free_policy(struct policy *p);
-void print_policy(const struct policy *p);
-int match_policy(const struct policy *p, const struct query *q);
-int parse_policy(FILE *fp, struct policy *p);
-int open_policy_file(struct policy_file *pf, const char *name,
- const char *what, const struct query *q);
-int read_policy_file(struct policy_file *pf);
-void close_policy_file(struct policy_file *pf);
-int load_policy_file(const char *file, policy_v *pv);
+/* A context for parsing a policy file. */
+struct policy_file {
+ FILE *fp; /* The file to read from */
+ const struct query *q; /* A query to use for logging */
+ const char *name; /* The name of the file */
+ const char *what; /* A description of the file */
+ int err; /* Have there been any errors? */
+ int lno; /* The current line number */
+ struct policy p; /* Parsed policy rule goes here */
+};
+
+/* Open a policy file by NAME. The description WHAT and query Q are used for
+ * formatting error messages for the log.
+ *
+ * This function is somewhat careful only to read from actual regular files,
+ * though (if the filesystem object identified by NAME is a symlink, say) it
+ * might open a device node or other exotic thing without reading it. This
+ * is likely harmless, since we're running as an unprivileged user anyway.
+ */
+extern int open_policy_file(struct policy_file */*pf*/, const char */*name*/,
+ const char */*what*/, const struct query */*q*/,
+ unsigned /*f*/);
+#define OPF_NOENTOK 1u /* Don't complain if file missing */
+
+/* Read a policy rule from the file, storing it in PF->p. Return one of the
+ * T_* codes.
+ */
+extern int read_policy_file(struct policy_file */*pf*/);
+
+/* Close a policy file. It doesn't matter whether the file was completely
+ * read.
+ */
+extern void close_policy_file(struct policy_file */*pf*/);
+
+/* Load a policy file, writing a vector of records into PV. If the policy
+ * file has errors, then leave PV unchanged and return nonzero.
+ */
+extern int load_policy_file(const char */*file*/, policy_v */*pv*/);