1140 lines
30 KiB
Python
1140 lines
30 KiB
Python
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
#
|
|
# Copyright (C) 2006-2007 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License as
|
|
# published by the Free Software Foundation; version 2 only
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
#
|
|
|
|
# OVERVIEW
|
|
#
|
|
#
|
|
# This is a parser for the refpolicy policy "language" - i.e., the
|
|
# normal SELinux policy language plus the refpolicy style M4 macro
|
|
# constructs on top of that base language. This parser is primarily
|
|
# aimed at parsing the policy headers in order to create an abstract
|
|
# policy representation suitable for generating policy.
|
|
#
|
|
# Both the lexer and parser are included in this file. The are implemented
|
|
# using the Ply library (included with sepolgen).
|
|
|
|
import sys
|
|
import os
|
|
import re
|
|
import traceback
|
|
|
|
from . import access
|
|
from . import defaults
|
|
from . import lex
|
|
from . import refpolicy
|
|
from . import yacc
|
|
|
|
# :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|
#
|
|
# lexer
|
|
#
|
|
# :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|
|
|
tokens = (
|
|
# basic tokens, punctuation
|
|
'TICK',
|
|
'SQUOTE',
|
|
'OBRACE',
|
|
'CBRACE',
|
|
'SEMI',
|
|
'COLON',
|
|
'OPAREN',
|
|
'CPAREN',
|
|
'COMMA',
|
|
'MINUS',
|
|
'TILDE',
|
|
'ASTERISK',
|
|
'AMP',
|
|
'BAR',
|
|
'EXPL',
|
|
'EQUAL',
|
|
'FILENAME',
|
|
'IDENTIFIER',
|
|
'NUMBER',
|
|
'PATH',
|
|
'IPV6_ADDR',
|
|
# reserved words
|
|
# module
|
|
'MODULE',
|
|
'POLICY_MODULE',
|
|
'REQUIRE',
|
|
# flask
|
|
'SID',
|
|
'GENFSCON',
|
|
'FS_USE_XATTR',
|
|
'FS_USE_TRANS',
|
|
'FS_USE_TASK',
|
|
'PORTCON',
|
|
'NODECON',
|
|
'NETIFCON',
|
|
'PIRQCON',
|
|
'IOMEMCON',
|
|
'IOPORTCON',
|
|
'PCIDEVICECON',
|
|
'DEVICETREECON',
|
|
# object classes
|
|
'CLASS',
|
|
# types and attributes
|
|
'TYPEATTRIBUTE',
|
|
'ROLEATTRIBUTE',
|
|
'TYPE',
|
|
'ATTRIBUTE',
|
|
'ATTRIBUTE_ROLE',
|
|
'ALIAS',
|
|
'TYPEALIAS',
|
|
# conditional policy
|
|
'BOOL',
|
|
'TRUE',
|
|
'FALSE',
|
|
'IF',
|
|
'ELSE',
|
|
# users and roles
|
|
'ROLE',
|
|
'TYPES',
|
|
# rules
|
|
'ALLOW',
|
|
'DONTAUDIT',
|
|
'AUDITALLOW',
|
|
'NEVERALLOW',
|
|
'PERMISSIVE',
|
|
'TYPEBOUNDS',
|
|
'TYPE_TRANSITION',
|
|
'TYPE_CHANGE',
|
|
'TYPE_MEMBER',
|
|
'RANGE_TRANSITION',
|
|
'ROLE_TRANSITION',
|
|
# refpolicy keywords
|
|
'OPT_POLICY',
|
|
'INTERFACE',
|
|
'TUNABLE_POLICY',
|
|
'GEN_REQ',
|
|
'TEMPLATE',
|
|
'GEN_CONTEXT',
|
|
# m4
|
|
'IFELSE',
|
|
'IFDEF',
|
|
'IFNDEF',
|
|
'DEFINE'
|
|
)
|
|
|
|
# All reserved keywords - see t_IDENTIFIER for how these are matched in
|
|
# the lexer.
|
|
reserved = {
|
|
# module
|
|
'module' : 'MODULE',
|
|
'policy_module' : 'POLICY_MODULE',
|
|
'require' : 'REQUIRE',
|
|
# flask
|
|
'sid' : 'SID',
|
|
'genfscon' : 'GENFSCON',
|
|
'fs_use_xattr' : 'FS_USE_XATTR',
|
|
'fs_use_trans' : 'FS_USE_TRANS',
|
|
'fs_use_task' : 'FS_USE_TASK',
|
|
'portcon' : 'PORTCON',
|
|
'nodecon' : 'NODECON',
|
|
'netifcon' : 'NETIFCON',
|
|
'pirqcon' : 'PIRQCON',
|
|
'iomemcon' : 'IOMEMCON',
|
|
'ioportcon' : 'IOPORTCON',
|
|
'pcidevicecon' : 'PCIDEVICECON',
|
|
'devicetreecon' : 'DEVICETREECON',
|
|
# object classes
|
|
'class' : 'CLASS',
|
|
# types and attributes
|
|
'typeattribute' : 'TYPEATTRIBUTE',
|
|
'roleattribute' : 'ROLEATTRIBUTE',
|
|
'type' : 'TYPE',
|
|
'attribute' : 'ATTRIBUTE',
|
|
'attribute_role' : 'ATTRIBUTE_ROLE',
|
|
'alias' : 'ALIAS',
|
|
'typealias' : 'TYPEALIAS',
|
|
# conditional policy
|
|
'bool' : 'BOOL',
|
|
'true' : 'TRUE',
|
|
'false' : 'FALSE',
|
|
'if' : 'IF',
|
|
'else' : 'ELSE',
|
|
# users and roles
|
|
'role' : 'ROLE',
|
|
'types' : 'TYPES',
|
|
# rules
|
|
'allow' : 'ALLOW',
|
|
'dontaudit' : 'DONTAUDIT',
|
|
'auditallow' : 'AUDITALLOW',
|
|
'neverallow' : 'NEVERALLOW',
|
|
'permissive' : 'PERMISSIVE',
|
|
'typebounds' : 'TYPEBOUNDS',
|
|
'type_transition' : 'TYPE_TRANSITION',
|
|
'type_change' : 'TYPE_CHANGE',
|
|
'type_member' : 'TYPE_MEMBER',
|
|
'range_transition' : 'RANGE_TRANSITION',
|
|
'role_transition' : 'ROLE_TRANSITION',
|
|
# refpolicy keywords
|
|
'optional_policy' : 'OPT_POLICY',
|
|
'interface' : 'INTERFACE',
|
|
'tunable_policy' : 'TUNABLE_POLICY',
|
|
'gen_require' : 'GEN_REQ',
|
|
'template' : 'TEMPLATE',
|
|
'gen_context' : 'GEN_CONTEXT',
|
|
# M4
|
|
'ifelse' : 'IFELSE',
|
|
'ifndef' : 'IFNDEF',
|
|
'ifdef' : 'IFDEF',
|
|
'define' : 'DEFINE'
|
|
}
|
|
|
|
# The ply lexer allows definition of tokens in 2 ways: regular expressions
|
|
# or functions.
|
|
|
|
# Simple regex tokens
|
|
t_TICK = r'\`'
|
|
t_SQUOTE = r'\''
|
|
t_OBRACE = r'\{'
|
|
t_CBRACE = r'\}'
|
|
# This will handle spurios extra ';' via the +
|
|
t_SEMI = r'\;+'
|
|
t_COLON = r'\:'
|
|
t_OPAREN = r'\('
|
|
t_CPAREN = r'\)'
|
|
t_COMMA = r'\,'
|
|
t_MINUS = r'\-'
|
|
t_TILDE = r'\~'
|
|
t_ASTERISK = r'\*'
|
|
t_AMP = r'\&'
|
|
t_BAR = r'\|'
|
|
t_EXPL = r'\!'
|
|
t_EQUAL = r'\='
|
|
t_NUMBER = r'[0-9\.]+'
|
|
t_PATH = r'/[a-zA-Z0-9)_\.\*/\$]*'
|
|
#t_IPV6_ADDR = r'[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:([a-fA-F0-9]{0,4}:)*'
|
|
|
|
# Ignore whitespace - this is a special token for ply that more efficiently
|
|
# ignores uninteresting tokens.
|
|
t_ignore = " \t"
|
|
|
|
# More complex tokens
|
|
def t_IPV6_ADDR(t):
|
|
r'[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:([a-fA-F0-9]|:)*'
|
|
# This is a function simply to force it sooner into
|
|
# the regex list
|
|
return t
|
|
|
|
def t_m4comment(t):
|
|
r'dnl.*\n'
|
|
# Ignore all comments
|
|
t.lexer.lineno += 1
|
|
|
|
def t_refpolicywarn1(t):
|
|
r'define.*refpolicywarn\(.*\n'
|
|
# Ignore refpolicywarn statements - they sometimes
|
|
# contain text that we can't parse.
|
|
t.skip(1)
|
|
|
|
def t_refpolicywarn(t):
|
|
r'refpolicywarn\(.*\n'
|
|
# Ignore refpolicywarn statements - they sometimes
|
|
# contain text that we can't parse.
|
|
t.lexer.lineno += 1
|
|
|
|
def t_IDENTIFIER(t):
|
|
r'[a-zA-Z_\$][a-zA-Z0-9_\-\+\.\$\*~]*'
|
|
# Handle any keywords
|
|
t.type = reserved.get(t.value,'IDENTIFIER')
|
|
return t
|
|
|
|
def t_FILENAME(t):
|
|
r'\"[a-zA-Z0-9_\-\+\.\$\*~ :]+\"'
|
|
# Handle any keywords
|
|
t.type = reserved.get(t.value,'FILENAME')
|
|
return t
|
|
|
|
def t_comment(t):
|
|
r'\#.*\n'
|
|
# Ignore all comments
|
|
t.lexer.lineno += 1
|
|
|
|
def t_error(t):
|
|
print("Illegal character '%s'" % t.value[0])
|
|
t.skip(1)
|
|
|
|
def t_newline(t):
|
|
r'\n+'
|
|
t.lexer.lineno += len(t.value)
|
|
|
|
# :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|
#
|
|
# Parser
|
|
#
|
|
# :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|
|
|
# Global data used during parsing - making it global is easier than
|
|
# passing the state through the parsing functions.
|
|
|
|
# m is the top-level data structure (stands for modules).
|
|
m = None
|
|
# error is either None (indicating no error) or a string error message.
|
|
error = None
|
|
parse_file = ""
|
|
# spt is the support macros (e.g., obj/perm sets) - it is an instance of
|
|
# refpolicy.SupportMacros and should always be present during parsing
|
|
# though it may not contain any macros.
|
|
spt = None
|
|
success = True
|
|
|
|
# utilities
|
|
def collect(stmts, parent, val=None):
|
|
if stmts is None:
|
|
return
|
|
for s in stmts:
|
|
if s is None:
|
|
continue
|
|
s.parent = parent
|
|
if val is not None:
|
|
parent.children.insert(0, (val, s))
|
|
else:
|
|
parent.children.insert(0, s)
|
|
|
|
def expand(ids, s):
|
|
for id in ids:
|
|
if spt.has_key(id):
|
|
s.update(spt.by_name(id))
|
|
else:
|
|
s.add(id)
|
|
|
|
# Top-level non-terminal
|
|
def p_statements(p):
|
|
'''statements : statement
|
|
| statements statement
|
|
| empty
|
|
'''
|
|
if len(p) == 2 and p[1]:
|
|
m.children.append(p[1])
|
|
elif len(p) > 2 and p[2]:
|
|
m.children.append(p[2])
|
|
|
|
def p_statement(p):
|
|
'''statement : interface
|
|
| template
|
|
| obj_perm_set
|
|
| policy
|
|
| policy_module_stmt
|
|
| module_stmt
|
|
'''
|
|
p[0] = p[1]
|
|
|
|
def p_empty(p):
|
|
'empty :'
|
|
pass
|
|
|
|
#
|
|
# Reference policy language constructs
|
|
#
|
|
|
|
# This is for the policy module statement (e.g., policy_module(foo,1.2.0)).
|
|
# We have a separate terminal for either the basic language module statement
|
|
# and interface calls to make it easier to identifier.
|
|
def p_policy_module_stmt(p):
|
|
'policy_module_stmt : POLICY_MODULE OPAREN IDENTIFIER COMMA NUMBER CPAREN'
|
|
m = refpolicy.ModuleDeclaration()
|
|
m.name = p[3]
|
|
m.version = p[5]
|
|
m.refpolicy = True
|
|
p[0] = m
|
|
|
|
def p_interface(p):
|
|
'''interface : INTERFACE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
|
|
'''
|
|
x = refpolicy.Interface(p[4])
|
|
collect(p[8], x)
|
|
p[0] = x
|
|
|
|
def p_template(p):
|
|
'''template : TEMPLATE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
|
|
| DEFINE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
|
|
'''
|
|
x = refpolicy.Template(p[4])
|
|
collect(p[8], x)
|
|
p[0] = x
|
|
|
|
def p_define(p):
|
|
'''define : DEFINE OPAREN TICK IDENTIFIER SQUOTE CPAREN'''
|
|
# This is for defining single M4 values (to be used later in ifdef statements).
|
|
# Example: define(`sulogin_no_pam'). We don't currently do anything with these
|
|
# but we should in the future when we correctly resolve ifdef statements.
|
|
p[0] = None
|
|
|
|
def p_interface_stmts(p):
|
|
'''interface_stmts : policy
|
|
| interface_stmts policy
|
|
| empty
|
|
'''
|
|
if len(p) == 2 and p[1]:
|
|
p[0] = p[1]
|
|
elif len(p) > 2:
|
|
if not p[1]:
|
|
if p[2]:
|
|
p[0] = p[2]
|
|
elif not p[2]:
|
|
p[0] = p[1]
|
|
else:
|
|
p[0] = p[1] + p[2]
|
|
|
|
def p_optional_policy(p):
|
|
'''optional_policy : OPT_POLICY OPAREN TICK interface_stmts SQUOTE CPAREN
|
|
| OPT_POLICY OPAREN TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
|
|
'''
|
|
o = refpolicy.OptionalPolicy()
|
|
collect(p[4], o, val=True)
|
|
if len(p) > 7:
|
|
collect(p[8], o, val=False)
|
|
p[0] = [o]
|
|
|
|
def p_tunable_policy(p):
|
|
'''tunable_policy : TUNABLE_POLICY OPAREN TICK cond_expr SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
|
|
| TUNABLE_POLICY OPAREN TICK cond_expr SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
|
|
'''
|
|
x = refpolicy.TunablePolicy()
|
|
x.cond_expr = p[4]
|
|
collect(p[8], x, val=True)
|
|
if len(p) > 11:
|
|
collect(p[12], x, val=False)
|
|
p[0] = [x]
|
|
|
|
def p_ifelse(p):
|
|
'''ifelse : IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
|
|
| IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
|
|
| IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
|
|
'''
|
|
# x = refpolicy.IfDef(p[4])
|
|
# v = True
|
|
# collect(p[8], x, val=v)
|
|
# if len(p) > 12:
|
|
# collect(p[12], x, val=False)
|
|
# p[0] = [x]
|
|
pass
|
|
|
|
|
|
def p_ifdef(p):
|
|
'''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
|
|
| IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
|
|
| IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
|
|
'''
|
|
x = refpolicy.IfDef(p[4])
|
|
if p[1] == 'ifdef':
|
|
v = True
|
|
else:
|
|
v = False
|
|
collect(p[8], x, val=v)
|
|
if len(p) > 12:
|
|
collect(p[12], x, val=False)
|
|
p[0] = [x]
|
|
|
|
def p_interface_call(p):
|
|
'''interface_call : IDENTIFIER OPAREN interface_call_param_list CPAREN
|
|
| IDENTIFIER OPAREN CPAREN
|
|
| IDENTIFIER OPAREN interface_call_param_list CPAREN SEMI'''
|
|
# Allow spurious semi-colons at the end of interface calls
|
|
i = refpolicy.InterfaceCall(ifname=p[1])
|
|
if len(p) > 4:
|
|
i.args.extend(p[3])
|
|
p[0] = i
|
|
|
|
def p_interface_call_param(p):
|
|
'''interface_call_param : IDENTIFIER
|
|
| IDENTIFIER MINUS IDENTIFIER
|
|
| nested_id_set
|
|
| TRUE
|
|
| FALSE
|
|
| FILENAME
|
|
'''
|
|
# Intentionally let single identifiers pass through
|
|
# List means set, non-list identifier
|
|
if len(p) == 2:
|
|
p[0] = p[1]
|
|
else:
|
|
p[0] = [p[1], "-" + p[3]]
|
|
|
|
def p_interface_call_param_list(p):
|
|
'''interface_call_param_list : interface_call_param
|
|
| interface_call_param_list COMMA interface_call_param
|
|
'''
|
|
if len(p) == 2:
|
|
p[0] = [p[1]]
|
|
else:
|
|
p[0] = p[1] + [p[3]]
|
|
|
|
|
|
def p_obj_perm_set(p):
|
|
'obj_perm_set : DEFINE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK names SQUOTE CPAREN'
|
|
s = refpolicy.ObjPermSet(p[4])
|
|
s.perms = p[8]
|
|
p[0] = s
|
|
|
|
#
|
|
# Basic SELinux policy language
|
|
#
|
|
|
|
def p_policy(p):
|
|
'''policy : policy_stmt
|
|
| optional_policy
|
|
| tunable_policy
|
|
| ifdef
|
|
| ifelse
|
|
| conditional
|
|
'''
|
|
p[0] = p[1]
|
|
|
|
def p_policy_stmt(p):
|
|
'''policy_stmt : gen_require
|
|
| avrule_def
|
|
| typerule_def
|
|
| typebound_def
|
|
| typeattribute_def
|
|
| roleattribute_def
|
|
| interface_call
|
|
| role_def
|
|
| role_allow
|
|
| permissive
|
|
| type_def
|
|
| typealias_def
|
|
| attribute_def
|
|
| attribute_role_def
|
|
| range_transition_def
|
|
| role_transition_def
|
|
| bool
|
|
| define
|
|
| initial_sid
|
|
| genfscon
|
|
| fs_use
|
|
| portcon
|
|
| nodecon
|
|
| netifcon
|
|
| pirqcon
|
|
| iomemcon
|
|
| ioportcon
|
|
| pcidevicecon
|
|
| devicetreecon
|
|
'''
|
|
if p[1]:
|
|
p[0] = [p[1]]
|
|
|
|
def p_module_stmt(p):
|
|
'module_stmt : MODULE IDENTIFIER NUMBER SEMI'
|
|
m = refpolicy.ModuleDeclaration()
|
|
m.name = p[2]
|
|
m.version = p[3]
|
|
m.refpolicy = False
|
|
p[0] = m
|
|
|
|
def p_gen_require(p):
|
|
'''gen_require : GEN_REQ OPAREN TICK requires SQUOTE CPAREN
|
|
| REQUIRE OBRACE requires CBRACE'''
|
|
# We ignore the require statements - they are redundant data from our point-of-view.
|
|
# Checkmodule will verify them later anyway so we just assume that they match what
|
|
# is in the rest of the interface.
|
|
pass
|
|
|
|
def p_requires(p):
|
|
'''requires : require
|
|
| requires require
|
|
| ifdef
|
|
| requires ifdef
|
|
'''
|
|
pass
|
|
|
|
def p_require(p):
|
|
'''require : TYPE comma_list SEMI
|
|
| ROLE comma_list SEMI
|
|
| ATTRIBUTE comma_list SEMI
|
|
| ATTRIBUTE_ROLE comma_list SEMI
|
|
| CLASS comma_list SEMI
|
|
| BOOL comma_list SEMI
|
|
'''
|
|
pass
|
|
|
|
def p_security_context(p):
|
|
'''security_context : IDENTIFIER COLON IDENTIFIER COLON IDENTIFIER
|
|
| IDENTIFIER COLON IDENTIFIER COLON IDENTIFIER COLON mls_range_def'''
|
|
# This will likely need some updates to handle complex levels
|
|
s = refpolicy.SecurityContext()
|
|
s.user = p[1]
|
|
s.role = p[3]
|
|
s.type = p[5]
|
|
if len(p) > 6:
|
|
s.level = p[7]
|
|
|
|
p[0] = s
|
|
|
|
def p_gen_context(p):
|
|
'''gen_context : GEN_CONTEXT OPAREN security_context COMMA mls_range_def CPAREN
|
|
'''
|
|
# We actually store gen_context statements in a SecurityContext
|
|
# object - it knows how to output either a bare context or a
|
|
# gen_context statement.
|
|
s = p[3]
|
|
s.level = p[5]
|
|
|
|
p[0] = s
|
|
|
|
def p_context(p):
|
|
'''context : security_context
|
|
| gen_context
|
|
'''
|
|
p[0] = p[1]
|
|
|
|
def p_initial_sid(p):
|
|
'''initial_sid : SID IDENTIFIER context'''
|
|
s = refpolicy.InitialSid()
|
|
s.name = p[2]
|
|
s.context = p[3]
|
|
p[0] = s
|
|
|
|
def p_genfscon(p):
|
|
'''genfscon : GENFSCON IDENTIFIER PATH context'''
|
|
|
|
g = refpolicy.GenfsCon()
|
|
g.filesystem = p[2]
|
|
g.path = p[3]
|
|
g.context = p[4]
|
|
|
|
p[0] = g
|
|
|
|
def p_fs_use(p):
|
|
'''fs_use : FS_USE_XATTR IDENTIFIER context SEMI
|
|
| FS_USE_TASK IDENTIFIER context SEMI
|
|
| FS_USE_TRANS IDENTIFIER context SEMI
|
|
'''
|
|
f = refpolicy.FilesystemUse()
|
|
if p[1] == "fs_use_xattr":
|
|
f.type = refpolicy.FilesystemUse.XATTR
|
|
elif p[1] == "fs_use_task":
|
|
f.type = refpolicy.FilesystemUse.TASK
|
|
elif p[1] == "fs_use_trans":
|
|
f.type = refpolicy.FilesystemUse.TRANS
|
|
|
|
f.filesystem = p[2]
|
|
f.context = p[3]
|
|
|
|
p[0] = f
|
|
|
|
def p_portcon(p):
|
|
'''portcon : PORTCON IDENTIFIER NUMBER context
|
|
| PORTCON IDENTIFIER NUMBER MINUS NUMBER context'''
|
|
c = refpolicy.PortCon()
|
|
c.port_type = p[2]
|
|
if len(p) == 5:
|
|
c.port_number = p[3]
|
|
c.context = p[4]
|
|
else:
|
|
c.port_number = p[3] + "-" + p[4]
|
|
c.context = p[5]
|
|
|
|
p[0] = c
|
|
|
|
def p_nodecon(p):
|
|
'''nodecon : NODECON NUMBER NUMBER context
|
|
| NODECON IPV6_ADDR IPV6_ADDR context
|
|
'''
|
|
n = refpolicy.NodeCon()
|
|
n.start = p[2]
|
|
n.end = p[3]
|
|
n.context = p[4]
|
|
|
|
p[0] = n
|
|
|
|
def p_netifcon(p):
|
|
'netifcon : NETIFCON IDENTIFIER context context'
|
|
n = refpolicy.NetifCon()
|
|
n.interface = p[2]
|
|
n.interface_context = p[3]
|
|
n.packet_context = p[4]
|
|
|
|
p[0] = n
|
|
|
|
def p_pirqcon(p):
|
|
'pirqcon : PIRQCON NUMBER context'
|
|
c = refpolicy.PirqCon()
|
|
c.pirq_number = p[2]
|
|
c.context = p[3]
|
|
|
|
p[0] = c
|
|
|
|
def p_iomemcon(p):
|
|
'''iomemcon : IOMEMCON NUMBER context
|
|
| IOMEMCON NUMBER MINUS NUMBER context'''
|
|
c = refpolicy.IomemCon()
|
|
if len(p) == 4:
|
|
c.device_mem = p[2]
|
|
c.context = p[3]
|
|
else:
|
|
c.device_mem = p[2] + "-" + p[3]
|
|
c.context = p[4]
|
|
|
|
p[0] = c
|
|
|
|
def p_ioportcon(p):
|
|
'''ioportcon : IOPORTCON NUMBER context
|
|
| IOPORTCON NUMBER MINUS NUMBER context'''
|
|
c = refpolicy.IoportCon()
|
|
if len(p) == 4:
|
|
c.ioport = p[2]
|
|
c.context = p[3]
|
|
else:
|
|
c.ioport = p[2] + "-" + p[3]
|
|
c.context = p[4]
|
|
|
|
p[0] = c
|
|
|
|
def p_pcidevicecon(p):
|
|
'pcidevicecon : PCIDEVICECON NUMBER context'
|
|
c = refpolicy.PciDeviceCon()
|
|
c.device = p[2]
|
|
c.context = p[3]
|
|
|
|
p[0] = c
|
|
|
|
def p_devicetreecon(p):
|
|
'devicetreecon : DEVICETREECON NUMBER context'
|
|
c = refpolicy.DevicetTeeCon()
|
|
c.path = p[2]
|
|
c.context = p[3]
|
|
|
|
p[0] = c
|
|
|
|
def p_mls_range_def(p):
|
|
'''mls_range_def : mls_level_def MINUS mls_level_def
|
|
| mls_level_def
|
|
'''
|
|
p[0] = p[1]
|
|
if len(p) > 2:
|
|
p[0] = p[0] + "-" + p[3]
|
|
|
|
def p_mls_level_def(p):
|
|
'''mls_level_def : IDENTIFIER COLON comma_list
|
|
| IDENTIFIER
|
|
'''
|
|
p[0] = p[1]
|
|
if len(p) > 2:
|
|
p[0] = p[0] + ":" + ",".join(p[3])
|
|
|
|
def p_type_def(p):
|
|
'''type_def : TYPE IDENTIFIER COMMA comma_list SEMI
|
|
| TYPE IDENTIFIER SEMI
|
|
| TYPE IDENTIFIER ALIAS names SEMI
|
|
| TYPE IDENTIFIER ALIAS names COMMA comma_list SEMI
|
|
'''
|
|
t = refpolicy.Type(p[2])
|
|
if len(p) == 6:
|
|
if p[3] == ',':
|
|
t.attributes.update(p[4])
|
|
else:
|
|
t.aliases = p[4]
|
|
elif len(p) > 4:
|
|
t.aliases = p[4]
|
|
if len(p) == 8:
|
|
t.attributes.update(p[6])
|
|
p[0] = t
|
|
|
|
def p_attribute_def(p):
|
|
'attribute_def : ATTRIBUTE IDENTIFIER SEMI'
|
|
a = refpolicy.Attribute(p[2])
|
|
p[0] = a
|
|
|
|
def p_attribute_role_def(p):
|
|
'attribute_role_def : ATTRIBUTE_ROLE IDENTIFIER SEMI'
|
|
a = refpolicy.Attribute_Role(p[2])
|
|
p[0] = a
|
|
|
|
def p_typealias_def(p):
|
|
'typealias_def : TYPEALIAS IDENTIFIER ALIAS names SEMI'
|
|
t = refpolicy.TypeAlias()
|
|
t.type = p[2]
|
|
t.aliases = p[4]
|
|
p[0] = t
|
|
|
|
def p_role_def(p):
|
|
'''role_def : ROLE IDENTIFIER TYPES comma_list SEMI
|
|
| ROLE IDENTIFIER SEMI'''
|
|
r = refpolicy.Role()
|
|
r.role = p[2]
|
|
if len(p) > 4:
|
|
r.types.update(p[4])
|
|
p[0] = r
|
|
|
|
def p_role_allow(p):
|
|
'role_allow : ALLOW names names SEMI'
|
|
r = refpolicy.RoleAllow()
|
|
r.src_roles = p[2]
|
|
r.tgt_roles = p[3]
|
|
p[0] = r
|
|
|
|
def p_permissive(p):
|
|
'permissive : PERMISSIVE names SEMI'
|
|
t.skip(1)
|
|
|
|
def p_avrule_def(p):
|
|
'''avrule_def : ALLOW names names COLON names names SEMI
|
|
| DONTAUDIT names names COLON names names SEMI
|
|
| AUDITALLOW names names COLON names names SEMI
|
|
| NEVERALLOW names names COLON names names SEMI
|
|
'''
|
|
a = refpolicy.AVRule()
|
|
if p[1] == 'dontaudit':
|
|
a.rule_type = refpolicy.AVRule.DONTAUDIT
|
|
elif p[1] == 'auditallow':
|
|
a.rule_type = refpolicy.AVRule.AUDITALLOW
|
|
elif p[1] == 'neverallow':
|
|
a.rule_type = refpolicy.AVRule.NEVERALLOW
|
|
a.src_types = p[2]
|
|
a.tgt_types = p[3]
|
|
a.obj_classes = p[5]
|
|
a.perms = p[6]
|
|
p[0] = a
|
|
|
|
def p_typerule_def(p):
|
|
'''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI
|
|
| TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI
|
|
| TYPE_TRANSITION names names COLON names IDENTIFIER IDENTIFIER SEMI
|
|
| TYPE_CHANGE names names COLON names IDENTIFIER SEMI
|
|
| TYPE_MEMBER names names COLON names IDENTIFIER SEMI
|
|
'''
|
|
t = refpolicy.TypeRule()
|
|
if p[1] == 'type_change':
|
|
t.rule_type = refpolicy.TypeRule.TYPE_CHANGE
|
|
elif p[1] == 'type_member':
|
|
t.rule_type = refpolicy.TypeRule.TYPE_MEMBER
|
|
t.src_types = p[2]
|
|
t.tgt_types = p[3]
|
|
t.obj_classes = p[5]
|
|
t.dest_type = p[6]
|
|
t.file_name = p[7]
|
|
p[0] = t
|
|
|
|
def p_typebound_def(p):
|
|
'''typebound_def : TYPEBOUNDS IDENTIFIER comma_list SEMI'''
|
|
t = refpolicy.TypeBound()
|
|
t.type = p[2]
|
|
t.tgt_types.update(p[3])
|
|
p[0] = t
|
|
|
|
def p_bool(p):
|
|
'''bool : BOOL IDENTIFIER TRUE SEMI
|
|
| BOOL IDENTIFIER FALSE SEMI'''
|
|
b = refpolicy.Bool()
|
|
b.name = p[2]
|
|
if p[3] == "true":
|
|
b.state = True
|
|
else:
|
|
b.state = False
|
|
p[0] = b
|
|
|
|
def p_conditional(p):
|
|
''' conditional : IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE
|
|
| IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE ELSE OBRACE interface_stmts CBRACE
|
|
'''
|
|
c = refpolicy.Conditional()
|
|
c.cond_expr = p[3]
|
|
collect(p[6], c, val=True)
|
|
if len(p) > 8:
|
|
collect(p[10], c, val=False)
|
|
p[0] = [c]
|
|
|
|
def p_typeattribute_def(p):
|
|
'''typeattribute_def : TYPEATTRIBUTE IDENTIFIER comma_list SEMI'''
|
|
t = refpolicy.TypeAttribute()
|
|
t.type = p[2]
|
|
t.attributes.update(p[3])
|
|
p[0] = t
|
|
|
|
def p_roleattribute_def(p):
|
|
'''roleattribute_def : ROLEATTRIBUTE IDENTIFIER comma_list SEMI'''
|
|
t = refpolicy.RoleAttribute()
|
|
t.role = p[2]
|
|
t.roleattributes.update(p[3])
|
|
p[0] = t
|
|
|
|
def p_range_transition_def(p):
|
|
'''range_transition_def : RANGE_TRANSITION names names COLON names mls_range_def SEMI
|
|
| RANGE_TRANSITION names names names SEMI'''
|
|
pass
|
|
|
|
def p_role_transition_def(p):
|
|
'''role_transition_def : ROLE_TRANSITION names names names SEMI'''
|
|
pass
|
|
|
|
def p_cond_expr(p):
|
|
'''cond_expr : IDENTIFIER
|
|
| EXPL cond_expr
|
|
| cond_expr AMP AMP cond_expr
|
|
| cond_expr BAR BAR cond_expr
|
|
| cond_expr EQUAL EQUAL cond_expr
|
|
| cond_expr EXPL EQUAL cond_expr
|
|
'''
|
|
l = len(p)
|
|
if l == 2:
|
|
p[0] = [p[1]]
|
|
elif l == 3:
|
|
p[0] = [p[1]] + p[2]
|
|
else:
|
|
p[0] = p[1] + [p[2] + p[3]] + p[4]
|
|
|
|
|
|
#
|
|
# Basic terminals
|
|
#
|
|
|
|
# Identifiers and lists of identifiers. These must
|
|
# be handled somewhat gracefully. Names returns an IdSet and care must
|
|
# be taken that this is _assigned_ to an object to correctly update
|
|
# all of the flags (as opposed to using update). The other terminals
|
|
# return list - this is to preserve ordering if it is important for
|
|
# parsing (for example, interface_call must retain the ordering). Other
|
|
# times the list should be used to update an IdSet.
|
|
|
|
def p_names(p):
|
|
'''names : identifier
|
|
| nested_id_set
|
|
| asterisk
|
|
| TILDE identifier
|
|
| TILDE nested_id_set
|
|
| IDENTIFIER MINUS IDENTIFIER
|
|
'''
|
|
s = refpolicy.IdSet()
|
|
if len(p) < 3:
|
|
expand(p[1], s)
|
|
elif len(p) == 3:
|
|
expand(p[2], s)
|
|
s.compliment = True
|
|
else:
|
|
expand([p[1]])
|
|
s.add("-" + p[3])
|
|
p[0] = s
|
|
|
|
def p_identifier(p):
|
|
'identifier : IDENTIFIER'
|
|
p[0] = [p[1]]
|
|
|
|
def p_asterisk(p):
|
|
'asterisk : ASTERISK'
|
|
p[0] = [p[1]]
|
|
|
|
def p_nested_id_set(p):
|
|
'''nested_id_set : OBRACE nested_id_list CBRACE
|
|
'''
|
|
p[0] = p[2]
|
|
|
|
def p_nested_id_list(p):
|
|
'''nested_id_list : nested_id_element
|
|
| nested_id_list nested_id_element
|
|
'''
|
|
if len(p) == 2:
|
|
p[0] = p[1]
|
|
else:
|
|
p[0] = p[1] + p[2]
|
|
|
|
def p_nested_id_element(p):
|
|
'''nested_id_element : identifier
|
|
| MINUS IDENTIFIER
|
|
| nested_id_set
|
|
'''
|
|
if len(p) == 2:
|
|
p[0] = p[1]
|
|
else:
|
|
# For now just leave the '-'
|
|
str = "-" + p[2]
|
|
p[0] = [str]
|
|
|
|
def p_comma_list(p):
|
|
'''comma_list : nested_id_list
|
|
| comma_list COMMA nested_id_list
|
|
'''
|
|
if len(p) > 2:
|
|
p[1] = p[1] + p[3]
|
|
p[0] = p[1]
|
|
|
|
def p_optional_semi(p):
|
|
'''optional_semi : SEMI
|
|
| empty'''
|
|
pass
|
|
|
|
|
|
#
|
|
# Interface to the parser
|
|
#
|
|
|
|
def p_error(tok):
|
|
global error, parse_file, success, parser
|
|
error = "%s: Syntax error on line %d %s [type=%s]" % (parse_file, tok.lineno, tok.value, tok.type)
|
|
print(error)
|
|
success = False
|
|
|
|
def prep_spt(spt):
|
|
if not spt:
|
|
return { }
|
|
map = {}
|
|
for x in spt:
|
|
map[x.name] = x
|
|
|
|
parser = None
|
|
lexer = None
|
|
def create_globals(module, support, debug):
|
|
global parser, lexer, m, spt
|
|
|
|
if not parser:
|
|
lexer = lex.lex()
|
|
parser = yacc.yacc(method="LALR", debug=debug, write_tables=0)
|
|
|
|
if module is not None:
|
|
m = module
|
|
else:
|
|
m = refpolicy.Module()
|
|
|
|
if not support:
|
|
spt = refpolicy.SupportMacros()
|
|
else:
|
|
spt = support
|
|
|
|
def parse(text, module=None, support=None, debug=False):
|
|
create_globals(module, support, debug)
|
|
global error, parser, lexer, success
|
|
|
|
lexer.lineno = 1
|
|
success = True
|
|
|
|
try:
|
|
parser.parse(text, debug=debug, lexer=lexer)
|
|
except Exception as e:
|
|
parser = None
|
|
lexer = None
|
|
error = "internal parser error: %s" % str(e) + "\n" + traceback.format_exc()
|
|
|
|
if not success:
|
|
# force the parser and lexer to be rebuilt - we have some problems otherwise
|
|
parser = None
|
|
msg = 'could not parse text: "%s"' % error
|
|
raise ValueError(msg)
|
|
return m
|
|
|
|
def list_headers(root):
|
|
modules = []
|
|
support_macros = None
|
|
|
|
for dirpath, dirnames, filenames in os.walk(root):
|
|
for name in filenames:
|
|
modname = os.path.splitext(name)
|
|
filename = os.path.join(dirpath, name)
|
|
|
|
if modname[1] == '.spt':
|
|
if name == "obj_perm_sets.spt":
|
|
support_macros = filename
|
|
elif len(re.findall("patterns", modname[0])):
|
|
modules.append((modname[0], filename))
|
|
elif modname[1] == '.if':
|
|
modules.append((modname[0], filename))
|
|
|
|
return (modules, support_macros)
|
|
|
|
|
|
def parse_headers(root, output=None, expand=True, debug=False):
|
|
from . import util
|
|
|
|
headers = refpolicy.Headers()
|
|
|
|
modules = []
|
|
support_macros = None
|
|
|
|
if os.path.isfile(root):
|
|
name = os.path.split(root)[1]
|
|
if name == '':
|
|
raise ValueError("Invalid file name %s" % root)
|
|
modname = os.path.splitext(name)
|
|
modules.append((modname[0], root))
|
|
all_modules, support_macros = list_headers(defaults.headers())
|
|
else:
|
|
modules, support_macros = list_headers(root)
|
|
|
|
if expand and not support_macros:
|
|
raise ValueError("could not find support macros (obj_perm_sets.spt)")
|
|
|
|
def o(msg):
|
|
if output:
|
|
output.write(msg)
|
|
|
|
def parse_file(f, module, spt=None):
|
|
global parse_file
|
|
if debug:
|
|
o("parsing file %s\n" % f)
|
|
try:
|
|
fd = open(f)
|
|
txt = fd.read()
|
|
fd.close()
|
|
parse_file = f
|
|
parse(txt, module, spt, debug)
|
|
except IOError as e:
|
|
return
|
|
except ValueError as e:
|
|
raise ValueError("error parsing file %s: %s" % (f, str(e)))
|
|
|
|
spt = None
|
|
if support_macros:
|
|
o("Parsing support macros (%s): " % support_macros)
|
|
spt = refpolicy.SupportMacros()
|
|
parse_file(support_macros, spt)
|
|
|
|
headers.children.append(spt)
|
|
|
|
# FIXME: Total hack - add in can_exec rather than parse the insanity
|
|
# of misc_macros. We are just going to pretend that this is an interface
|
|
# to make the expansion work correctly.
|
|
can_exec = refpolicy.Interface("can_exec")
|
|
av = access.AccessVector(["$1","$2","file","execute_no_trans","open", "read",
|
|
"getattr","lock","execute","ioctl"])
|
|
|
|
can_exec.children.append(refpolicy.AVRule(av))
|
|
headers.children.append(can_exec)
|
|
|
|
o("done.\n")
|
|
|
|
if output and not debug:
|
|
status = util.ConsoleProgressBar(sys.stdout, steps=len(modules))
|
|
status.start("Parsing interface files")
|
|
|
|
failures = []
|
|
for x in modules:
|
|
m = refpolicy.Module()
|
|
m.name = x[0]
|
|
try:
|
|
if expand:
|
|
parse_file(x[1], m, spt)
|
|
else:
|
|
parse_file(x[1], m)
|
|
except ValueError as e:
|
|
o(str(e) + "\n")
|
|
failures.append(x[1])
|
|
continue
|
|
|
|
headers.children.append(m)
|
|
if output and not debug:
|
|
status.step()
|
|
|
|
if len(failures):
|
|
o("failed to parse some headers: %s" % ", ".join(failures))
|
|
|
|
return headers
|