tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_external_selinux/checkpolicy/policy_parse.y

955 lines
32 KiB
Text
Raw Normal View History

initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
/*
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
*/
/*
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
*
* Support for enhanced MLS infrastructure.
*
* Updated: David Caplan, <dac@tresys.com>
*
* Added conditional policy language extensions
*
* Updated: Joshua Brindle <jbrindle@tresys.com>
* Karl MacMillan <kmacmillan@mentalrootkit.com>
* Jason Tang <jtang@tresys.com>
*
* Added support for binary policy modules
*
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
* Copyright (C) 2003 - 2008 Tresys Technology, LLC
* Copyright (C) 2007 Red Hat Inc.
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
*/
/* FLASK */
%{
#include <sys/types.h>
#include <assert.h>
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdlib.h>
#include <sepol/policydb/expand.h>
#include <sepol/policydb/policydb.h>
#include <sepol/policydb/services.h>
#include <sepol/policydb/conditional.h>
#include <sepol/policydb/flask.h>
#include <sepol/policydb/hierarchy.h>
#include <sepol/policydb/polcaps.h>
#include "queue.h"
#include "checkpolicy.h"
#include "module_compiler.h"
#include "policy_define.h"
extern policydb_t *policydbp;
extern unsigned int pass;
extern char yytext[];
extern int yylex(void);
checkpolicy: constify the message written by yyerror and yywarn Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-09-14 23:41:39 +02:00
extern int yywarn(const char *msg);
extern int yyerror(const char *msg);
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
Fix gcc -Wstrict-prototypes warnings In C, defining a function with () means "any number of parameters", not "no parameter". Use (void) instead where applicable and add unused parameters when needed. Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-09-14 23:41:49 +02:00
typedef int (* require_func_t)(int pass);
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
%}
%union {
unsigned int val;
libsepol, checkpolicy: widen Xen IOMEM ocontext entries This expands IOMEMCON device context entries to 64 bits. This change is required to support static I/O memory range labeling for systems with over 16TB of physical address space. The policy version number change is shared with the next patch. While this makes no changes to SELinux policy, a new SELinux policy compatibility entry was added in order to avoid breaking compilation of an SELinux policy without explicitly specifying the policy version. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-17 21:43:23 +01:00
uint64_t val64;
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
uintptr_t valptr;
void *ptr;
require_func_t require_func;
}
%type <ptr> cond_expr cond_expr_prim cond_pol_list cond_else
%type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def
%type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def
%type <ptr> role_def roles
%type <valptr> cexpr cexpr_prim op role_mls_op
%type <val> ipv4_addr_def number
libsepol, checkpolicy: widen Xen IOMEM ocontext entries This expands IOMEMCON device context entries to 64 bits. This change is required to support static I/O memory range labeling for systems with over 16TB of physical address space. The policy version number change is shared with the next patch. While this makes no changes to SELinux policy, a new SELinux policy compatibility entry was added in order to avoid breaking compilation of an SELinux policy without explicitly specifying the policy version. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-17 21:43:23 +01:00
%type <val64> number64
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
%type <require_func> require_decl_def
%token PATH
checkpolicy: Expand allowed character set in paths In order to support paths containing spaces or other characters, allow a quoted string with these characters to be parsed as a path in addition to the existing unquoted string. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-17 21:43:22 +01:00
%token QPATH
checkpolicy: wrap file names in filename trans with quotes This wraps the filename token in quotes to make parsing easier and more clear. The quotes are stripped off before being passed to checkpolicy. The quote wrapping is only used by filename transitions. This changes the filename transition syntax to the following: type_transition source target : object default_type "filename"; Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-05-16 14:40:00 +02:00
%token FILENAME
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
%token CLONE
%token COMMON
%token CLASS
%token CONSTRAIN
%token VALIDATETRANS
%token INHERITS
%token SID
%token ROLE
Add role attribute support when compiling modules. 1. Add a uint32_t "flavor" field and an ebitmap "roles" to the role_datum_t structure; 2. Add a new "attribute_role" statement and its handler to declare a role attribute; 3. Modify declare_role() to setup role_datum_t.flavor according to the isattr argument; 4. Add a new "roleattribute" rule and its handler, which will record the regular role's (policy value - 1) into the role attribute's role_datum_t.roles ebitmap; 5. Modify the syntax for the role-types rule only to define the role-type associations; 6. Add a new role-attr rule to support the declaration of a single role, and optionally the role attribute that the role belongs to; 7. Check if the new_role used in role-transition rule is a regular role; 8. Support to require a role attribute; 9. Modify symtab_insert() to allow multiple declarations only for the regular role, while a role attribute can't be declared more than once and can't share a same name with another regular role. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-07-25 03:23:54 +02:00
%token ROLEATTRIBUTE
%token ATTRIBUTE_ROLE
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
%token ROLES
%token TYPEALIAS
%token TYPEATTRIBUTE
Author: KaiGai Kohei Email: kaigai@ak.jp.nec.com Subject: Thread/Child-Domain Assignment (rev.2) Date: Tue, 05 Aug 2008 14:55:52 +0900 [2/3] thread-context-checkpolicy.2.patch It enables to support TYPEBOUNDS statement and to expand existing hierarchies implicitly. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> -- module_compiler.c | 86 +++++++++++++++++++++++++++++++++++++++++++++++++ policy_define.c | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++++- policy_define.h | 1 policy_parse.y | 5 ++ policy_scan.l | 2 + 5 files changed, 186 insertions(+), 1 deletion(-) Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-10-08 12:56:51 +02:00
%token TYPEBOUNDS
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
%token TYPE
%token TYPES
%token ALIAS
%token ATTRIBUTE
Add attribute expansion options This commit adds attribute expansion statements to the policy language allowing compiler defaults to be overridden. Always expands an attribute example: expandattribute { foo } true; CIL example: (expandtypeattribute (foo) true) Never expand an attribute example: expandattribute { bar } false; CIL example: (expandtypeattribute (bar) false) Adding the annotations directly to policy was chosen over other methods as it is consistent with how targeted runtime optimizations are specified in other languages. For example, in C the "inline" command. Motivation expandattribute true: Android has been moving away from a monolithic policy binary to a two part split policy representing the Android platform and the underlying vendor-provided hardware interface. The goal is a stable API allowing these two parts to be updated independently of each other. Attributes provide an important mechanism for compatibility. For example, when the vendor provides a HAL for the platform, permissions needed by clients of the HAL can be granted to an attribute. Clients need only be assigned the attribute and do not need to be aware of the underlying types and permissions being granted. Inheriting permissions via attribute creates a convenient mechanism for independence between vendor and platform policy, but results in the creation of many attributes, and the potential for performance issues when processes are clients of many HALs. [1] Annotating these attributes for expansion at compile time allows us to retain the compatibility benefits of using attributes without the performance costs. [2] expandattribute false: Commit 0be23c3f15fd added the capability to aggresively remove unused attributes. This is generally useful as too many attributes assigned to a type results in lengthy policy look up times when there is a cache miss. However, removing attributes can also result in loss of information used in external tests. On Android, we're considering stripping neverallow rules from on-device policy. This is consistent with the kernel policy binary which also did not contain neverallows. Removing neverallow rules results in a 5-10% decrease in on-device policy build and load and a policy size decrease of ~250k. Neverallow rules are still asserted at build time and during device certification (CTS). If neverallow rules are absent when secilc is run, some attributes are being stripped from policy and neverallow tests in CTS may be violated. [3] This change retains the aggressive attribute stripping behavior but adds an override mechanism to preserve attributes marked as necessary. [1] https://github.com/SELinuxProject/cil/issues/9 [2] Annotating all HAL client attributes for expansion resulted in system_server's dropping from 19 attributes to 8. Because these attributes were not widely applied to other types, the final policy size change was negligible. [3] data_file_type and service_manager_type are stripped from AOSP policy when using secilc's -G option. This impacts 11 neverallow tests in CTS. Test: Build and boot Marlin with all hal_*_client attributes marked for expansion. Verify (using seinfo and sesearch) that permissions are correctly expanded from attributes to types. Test: Mark types being stripped by secilc with "preserve" and verify that they are retained in policy and applied to the same types. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2017-05-04 23:36:49 +02:00
%token EXPANDATTRIBUTE
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
%token BOOL
checkpolicy: Separate tunable from boolean during compile. Both boolean and tunable keywords are processed by define_bool_tunable(), argument 0 and 1 would be passed for boolean and tunable respectively. For tunable, a TUNABLE flag would be set in cond_bool_datum_t.flags. Note, when creating an if-else conditional we can not know if the tunable identifier is indeed a tunable(for example, a boolean may be misused in tunable_policy() or vice versa), thus the TUNABLE flag for cond_node_t would be calculated and used in expansion when all booleans/tunables copied during link. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-01 05:29:41 +02:00
%token TUNABLE
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
%token IF
%token ELSE
%token TYPE_TRANSITION
%token TYPE_MEMBER
%token TYPE_CHANGE
%token ROLE_TRANSITION
%token RANGE_TRANSITION
%token SENSITIVITY
%token DOMINANCE
%token DOM DOMBY INCOMP
%token CATEGORY
%token LEVEL
%token RANGE
%token MLSCONSTRAIN
%token MLSVALIDATETRANS
%token USER
%token NEVERALLOW
%token ALLOW
%token AUDITALLOW
%token AUDITDENY
%token DONTAUDIT
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-12 18:01:12 +02:00
%token ALLOWXPERM
%token AUDITALLOWXPERM
%token DONTAUDITXPERM
Add neverallow support for ioctl extended permissions Neverallow rules for ioctl extended permissions will pass in two cases: 1. If extended permissions exist for the source-target-class set the test will pass if the neverallow values are excluded. 2. If extended permissions do not exist for the source-target-class set the test will pass if the ioctl permission is not granted. Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Nick Kralevich <nnk@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-09-18 21:57:56 +02:00
%token NEVERALLOWXPERM
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
%token SOURCE
%token TARGET
%token SAMEUSER
%token FSCON PORTCON NETIFCON NODECON
libsepol, checkpolicy: add device tree ocontext nodes to Xen policy In Xen on ARM, device tree nodes identified by a path (string) need to be labeled by the security policy. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-17 21:43:24 +01:00
%token PIRQCON IOMEMCON IOPORTCON PCIDEVICECON DEVICETREECON
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
%token FSUSEXATTR FSUSETASK FSUSETRANS
%token GENFSCON
%token U1 U2 U3 R1 R2 R3 T1 T2 T3 L1 L2 H1 H2
%token NOT AND OR XOR
%token CTRUE CFALSE
%token IDENTIFIER
%token NUMBER
%token EQUALS
%token NOTEQUAL
%token IPV4_ADDR
%token IPV6_ADDR
%token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
%token POLICYCAP
%token PERMISSIVE
checkpolicy: Allow filesystem names to start with a digit The patch below allows filesystem names in fs_use_* and genfscon statements to start with a digit, but still requires at least one character to be a letter. A new token type for filesystem names is created since these names having nothing to do with SELinux. This patch is needed because some filesystem names (such as 9p) start with a digit. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-01-12 22:29:02 +01:00
%token FILESYSTEM
checkpolicy: libsepol: implement default type policy syntax We currently have a mechanism in which the default user, role, and range can be picked up from the source or the target object. This implements the same thing for types. The kernel will override this with type transition rules and similar. This is just the default if nothing specific is given. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-12-18 17:41:25 +01:00
%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
libsepol: checkpolicy: implement new default labeling behaviors We would like to be able to say that the user, role, or range of a newly created object should be based on the user, role, or range of either the source or the target of the creation operation. aka, for a new file this could be the user of the creating process or the user or the parent directory. This patch implements the new language and the policydb support to give this information to the kernel. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-12-05 19:28:51 +01:00
%token LOW_HIGH LOW HIGH
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
%left OR
%left XOR
%left AND
%right NOT
%left EQUALS NOTEQUAL
%%
policy : base_policy
| module_policy
;
base_policy : { if (define_policy(pass, 0) == -1) return -1; }
classes initial_sids access_vectors
{ if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; }
else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }}
libsepol: checkpolicy: implement new default labeling behaviors We would like to be able to say that the user, role, or range of a newly created object should be based on the user, role, or range of either the source or the target of the creation operation. aka, for a new file this could be the user of the creating process or the user or the parent directory. This patch implements the new language and the policydb support to give this information to the kernel. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-12-05 19:28:51 +01:00
opt_default_rules opt_mls te_rbac users opt_constraints
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
{ if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
checkpolicy: Add support for multiple target OSes Updated patch of checkpolicy based on input. On Tue, 2009-09-15 at 12:37 -0400, pjnuzzi wrote: > Add support for multiple target OSes by adding the -t target option to > checkpolicy. Implemented the new Xen ocontext identifiers pirqcon, > pcidevicecon, iomemcon and ioportcon. > > Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> > > --- checkpolicy/checkpolicy.c | 20 ++- checkpolicy/policy_define.c | 272 ++++++++++++++++++++++++++++++++++++++++++++ checkpolicy/policy_define.h | 4 checkpolicy/policy_parse.y | 29 ++++ checkpolicy/policy_scan.l | 10 + 5 files changed, 330 insertions(+), 5 deletions(-) Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-09-29 16:06:26 +02:00
initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
;
classes : class_def
| classes class_def
;
class_def : CLASS identifier
{if (define_class()) return -1;}
;
initial_sids : initial_sid_def
| initial_sids initial_sid_def
;
initial_sid_def : SID identifier
{if (define_initial_sid()) return -1;}
;
access_vectors : opt_common_perms av_perms
;
opt_common_perms : common_perms
|
;
common_perms : common_perms_def
| common_perms common_perms_def
;
common_perms_def : COMMON identifier '{' identifier_list '}'
{if (define_common_perms()) return -1;}
;
av_perms : av_perms_def
| av_perms av_perms_def
;
av_perms_def : CLASS identifier '{' identifier_list '}'
{if (define_av_perms(FALSE)) return -1;}
| CLASS identifier INHERITS identifier
{if (define_av_perms(TRUE)) return -1;}
| CLASS identifier INHERITS identifier '{' identifier_list '}'
{if (define_av_perms(TRUE)) return -1;}
;
libsepol: checkpolicy: implement new default labeling behaviors We would like to be able to say that the user, role, or range of a newly created object should be based on the user, role, or range of either the source or the target of the creation operation. aka, for a new file this could be the user of the creating process or the user or the parent directory. This patch implements the new language and the policydb support to give this information to the kernel. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-12-05 19:28:51 +01:00
opt_default_rules : default_rules
|
;
default_rules : default_user_def
| default_role_def
checkpolicy: libsepol: implement default type policy syntax We currently have a mechanism in which the default user, role, and range can be picked up from the source or the target object. This implements the same thing for types. The kernel will override this with type transition rules and similar. This is just the default if nothing specific is given. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-12-18 17:41:25 +01:00
| default_type_def
libsepol: checkpolicy: implement new default labeling behaviors We would like to be able to say that the user, role, or range of a newly created object should be based on the user, role, or range of either the source or the target of the creation operation. aka, for a new file this could be the user of the creating process or the user or the parent directory. This patch implements the new language and the policydb support to give this information to the kernel. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-12-05 19:28:51 +01:00
| default_range_def
| default_rules default_user_def
| default_rules default_role_def
checkpolicy: libsepol: implement default type policy syntax We currently have a mechanism in which the default user, role, and range can be picked up from the source or the target object. This implements the same thing for types. The kernel will override this with type transition rules and similar. This is just the default if nothing specific is given. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-12-18 17:41:25 +01:00
| default_rules default_type_def
libsepol: checkpolicy: implement new default labeling behaviors We would like to be able to say that the user, role, or range of a newly created object should be based on the user, role, or range of either the source or the target of the creation operation. aka, for a new file this could be the user of the creating process or the user or the parent directory. This patch implements the new language and the policydb support to give this information to the kernel. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-12-05 19:28:51 +01:00
| default_rules default_range_def
;
default_user_def : DEFAULT_USER names SOURCE ';'
{if (define_default_user(DEFAULT_SOURCE)) return -1; }
| DEFAULT_USER names TARGET ';'
{if (define_default_user(DEFAULT_TARGET)) return -1; }
;
default_role_def : DEFAULT_ROLE names SOURCE ';'
{if (define_default_role(DEFAULT_SOURCE)) return -1; }
| DEFAULT_ROLE names TARGET ';'
{if (define_default_role(DEFAULT_TARGET)) return -1; }
;
checkpolicy: libsepol: implement default type policy syntax We currently have a mechanism in which the default user, role, and range can be picked up from the source or the target object. This implements the same thing for types. The kernel will override this with type transition rules and similar. This is just the default if nothing specific is given. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-12-18 17:41:25 +01:00
default_type_def : DEFAULT_TYPE names SOURCE ';'
{if (define_default_type(DEFAULT_SOURCE)) return -1; }
| DEFAULT_TYPE names TARGET ';'
{if (define_default_type(DEFAULT_TARGET)) return -1; }
;
libsepol: checkpolicy: implement new default labeling behaviors We would like to be able to say that the user, role, or range of a newly created object should be based on the user, role, or range of either the source or the target of the creation operation. aka, for a new file this could be the user of the creating process or the user or the parent directory. This patch implements the new language and the policydb support to give this information to the kernel. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-12-05 19:28:51 +01:00
default_range_def : DEFAULT_RANGE names SOURCE LOW ';'
{if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; }
| DEFAULT_RANGE names SOURCE HIGH ';'
{if (define_default_range(DEFAULT_SOURCE_HIGH)) return -1; }
| DEFAULT_RANGE names SOURCE LOW_HIGH ';'
{if (define_default_range(DEFAULT_SOURCE_LOW_HIGH)) return -1; }
| DEFAULT_RANGE names TARGET LOW ';'
{if (define_default_range(DEFAULT_TARGET_LOW)) return -1; }
| DEFAULT_RANGE names TARGET HIGH ';'
{if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; }
| DEFAULT_RANGE names TARGET LOW_HIGH ';'
{if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; }
;
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
opt_mls : mls
|
;
mls : sensitivities dominance opt_categories levels mlspolicy
;
sensitivities : sensitivity_def
| sensitivities sensitivity_def
;
sensitivity_def : SENSITIVITY identifier alias_def ';'
{if (define_sens()) return -1;}
| SENSITIVITY identifier ';'
{if (define_sens()) return -1;}
;
alias_def : ALIAS names
;
dominance : DOMINANCE identifier
{if (define_dominance()) return -1;}
| DOMINANCE '{' identifier_list '}'
{if (define_dominance()) return -1;}
;
opt_categories : categories
|
;
categories : category_def
| categories category_def
;
category_def : CATEGORY identifier alias_def ';'
{if (define_category()) return -1;}
| CATEGORY identifier ';'
{if (define_category()) return -1;}
;
levels : level_def
| levels level_def
;
level_def : LEVEL identifier ':' id_comma_list ';'
{if (define_level()) return -1;}
| LEVEL identifier ';'
{if (define_level()) return -1;}
;
mlspolicy : mlspolicy_decl
| mlspolicy mlspolicy_decl
;
mlspolicy_decl : mlsconstraint_def
| mlsvalidatetrans_def
;
mlsconstraint_def : MLSCONSTRAIN names names cexpr ';'
{ if (define_constraint((constraint_expr_t*)$4)) return -1; }
;
mlsvalidatetrans_def : MLSVALIDATETRANS names cexpr ';'
{ if (define_validatetrans((constraint_expr_t*)$3)) return -1; }
;
te_rbac : te_rbac_decl
| te_rbac te_rbac_decl
;
te_rbac_decl : te_decl
| rbac_decl
| cond_stmt_def
| optional_block
| policycap_def
| ';'
;
Add role attribute support when compiling modules. 1. Add a uint32_t "flavor" field and an ebitmap "roles" to the role_datum_t structure; 2. Add a new "attribute_role" statement and its handler to declare a role attribute; 3. Modify declare_role() to setup role_datum_t.flavor according to the isattr argument; 4. Add a new "roleattribute" rule and its handler, which will record the regular role's (policy value - 1) into the role attribute's role_datum_t.roles ebitmap; 5. Modify the syntax for the role-types rule only to define the role-type associations; 6. Add a new role-attr rule to support the declaration of a single role, and optionally the role attribute that the role belongs to; 7. Check if the new_role used in role-transition rule is a regular role; 8. Support to require a role attribute; 9. Modify symtab_insert() to allow multiple declarations only for the regular role, while a role attribute can't be declared more than once and can't share a same name with another regular role. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-07-25 03:23:54 +02:00
rbac_decl : attribute_role_def
| role_type_def
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
| role_dominance
| role_trans_def
| role_allow_def
Add role attribute support when compiling modules. 1. Add a uint32_t "flavor" field and an ebitmap "roles" to the role_datum_t structure; 2. Add a new "attribute_role" statement and its handler to declare a role attribute; 3. Modify declare_role() to setup role_datum_t.flavor according to the isattr argument; 4. Add a new "roleattribute" rule and its handler, which will record the regular role's (policy value - 1) into the role attribute's role_datum_t.roles ebitmap; 5. Modify the syntax for the role-types rule only to define the role-type associations; 6. Add a new role-attr rule to support the declaration of a single role, and optionally the role attribute that the role belongs to; 7. Check if the new_role used in role-transition rule is a regular role; 8. Support to require a role attribute; 9. Modify symtab_insert() to allow multiple declarations only for the regular role, while a role attribute can't be declared more than once and can't share a same name with another regular role. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-07-25 03:23:54 +02:00
| roleattribute_def
| role_attr_def
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
;
te_decl : attribute_def
Add attribute expansion options This commit adds attribute expansion statements to the policy language allowing compiler defaults to be overridden. Always expands an attribute example: expandattribute { foo } true; CIL example: (expandtypeattribute (foo) true) Never expand an attribute example: expandattribute { bar } false; CIL example: (expandtypeattribute (bar) false) Adding the annotations directly to policy was chosen over other methods as it is consistent with how targeted runtime optimizations are specified in other languages. For example, in C the "inline" command. Motivation expandattribute true: Android has been moving away from a monolithic policy binary to a two part split policy representing the Android platform and the underlying vendor-provided hardware interface. The goal is a stable API allowing these two parts to be updated independently of each other. Attributes provide an important mechanism for compatibility. For example, when the vendor provides a HAL for the platform, permissions needed by clients of the HAL can be granted to an attribute. Clients need only be assigned the attribute and do not need to be aware of the underlying types and permissions being granted. Inheriting permissions via attribute creates a convenient mechanism for independence between vendor and platform policy, but results in the creation of many attributes, and the potential for performance issues when processes are clients of many HALs. [1] Annotating these attributes for expansion at compile time allows us to retain the compatibility benefits of using attributes without the performance costs. [2] expandattribute false: Commit 0be23c3f15fd added the capability to aggresively remove unused attributes. This is generally useful as too many attributes assigned to a type results in lengthy policy look up times when there is a cache miss. However, removing attributes can also result in loss of information used in external tests. On Android, we're considering stripping neverallow rules from on-device policy. This is consistent with the kernel policy binary which also did not contain neverallows. Removing neverallow rules results in a 5-10% decrease in on-device policy build and load and a policy size decrease of ~250k. Neverallow rules are still asserted at build time and during device certification (CTS). If neverallow rules are absent when secilc is run, some attributes are being stripped from policy and neverallow tests in CTS may be violated. [3] This change retains the aggressive attribute stripping behavior but adds an override mechanism to preserve attributes marked as necessary. [1] https://github.com/SELinuxProject/cil/issues/9 [2] Annotating all HAL client attributes for expansion resulted in system_server's dropping from 19 attributes to 8. Because these attributes were not widely applied to other types, the final policy size change was negligible. [3] data_file_type and service_manager_type are stripped from AOSP policy when using secilc's -G option. This impacts 11 neverallow tests in CTS. Test: Build and boot Marlin with all hal_*_client attributes marked for expansion. Verify (using seinfo and sesearch) that permissions are correctly expanded from attributes to types. Test: Mark types being stripped by secilc with "preserve" and verify that they are retained in policy and applied to the same types. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2017-05-04 23:36:49 +02:00
| expandattribute_def
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
| type_def
| typealias_def
| typeattribute_def
Author: KaiGai Kohei Email: kaigai@ak.jp.nec.com Subject: Thread/Child-Domain Assignment (rev.2) Date: Tue, 05 Aug 2008 14:55:52 +0900 [2/3] thread-context-checkpolicy.2.patch It enables to support TYPEBOUNDS statement and to expand existing hierarchies implicitly. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> -- module_compiler.c | 86 +++++++++++++++++++++++++++++++++++++++++++++++++ policy_define.c | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++++- policy_define.h | 1 policy_parse.y | 5 ++ policy_scan.l | 2 + 5 files changed, 186 insertions(+), 1 deletion(-) Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-10-08 12:56:51 +02:00
| typebounds_def
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
| bool_def
checkpolicy: Separate tunable from boolean during compile. Both boolean and tunable keywords are processed by define_bool_tunable(), argument 0 and 1 would be passed for boolean and tunable respectively. For tunable, a TUNABLE flag would be set in cond_bool_datum_t.flags. Note, when creating an if-else conditional we can not know if the tunable identifier is indeed a tunable(for example, a boolean may be misused in tunable_policy() or vice versa), thus the TUNABLE flag for cond_node_t would be calculated and used in expansion when all booleans/tunables copied during link. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-01 05:29:41 +02:00
| tunable_def
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
| transition_def
| range_trans_def
| te_avtab_def
| permissive_def
;
attribute_def : ATTRIBUTE identifier ';'
{ if (define_attrib()) return -1;}
;
Add attribute expansion options This commit adds attribute expansion statements to the policy language allowing compiler defaults to be overridden. Always expands an attribute example: expandattribute { foo } true; CIL example: (expandtypeattribute (foo) true) Never expand an attribute example: expandattribute { bar } false; CIL example: (expandtypeattribute (bar) false) Adding the annotations directly to policy was chosen over other methods as it is consistent with how targeted runtime optimizations are specified in other languages. For example, in C the "inline" command. Motivation expandattribute true: Android has been moving away from a monolithic policy binary to a two part split policy representing the Android platform and the underlying vendor-provided hardware interface. The goal is a stable API allowing these two parts to be updated independently of each other. Attributes provide an important mechanism for compatibility. For example, when the vendor provides a HAL for the platform, permissions needed by clients of the HAL can be granted to an attribute. Clients need only be assigned the attribute and do not need to be aware of the underlying types and permissions being granted. Inheriting permissions via attribute creates a convenient mechanism for independence between vendor and platform policy, but results in the creation of many attributes, and the potential for performance issues when processes are clients of many HALs. [1] Annotating these attributes for expansion at compile time allows us to retain the compatibility benefits of using attributes without the performance costs. [2] expandattribute false: Commit 0be23c3f15fd added the capability to aggresively remove unused attributes. This is generally useful as too many attributes assigned to a type results in lengthy policy look up times when there is a cache miss. However, removing attributes can also result in loss of information used in external tests. On Android, we're considering stripping neverallow rules from on-device policy. This is consistent with the kernel policy binary which also did not contain neverallows. Removing neverallow rules results in a 5-10% decrease in on-device policy build and load and a policy size decrease of ~250k. Neverallow rules are still asserted at build time and during device certification (CTS). If neverallow rules are absent when secilc is run, some attributes are being stripped from policy and neverallow tests in CTS may be violated. [3] This change retains the aggressive attribute stripping behavior but adds an override mechanism to preserve attributes marked as necessary. [1] https://github.com/SELinuxProject/cil/issues/9 [2] Annotating all HAL client attributes for expansion resulted in system_server's dropping from 19 attributes to 8. Because these attributes were not widely applied to other types, the final policy size change was negligible. [3] data_file_type and service_manager_type are stripped from AOSP policy when using secilc's -G option. This impacts 11 neverallow tests in CTS. Test: Build and boot Marlin with all hal_*_client attributes marked for expansion. Verify (using seinfo and sesearch) that permissions are correctly expanded from attributes to types. Test: Mark types being stripped by secilc with "preserve" and verify that they are retained in policy and applied to the same types. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2017-05-04 23:36:49 +02:00
expandattribute_def : EXPANDATTRIBUTE names bool_val ';'
{ if (expand_attrib()) return -1;}
;
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
type_def : TYPE identifier alias_def opt_attr_list ';'
{if (define_type(1)) return -1;}
| TYPE identifier opt_attr_list ';'
{if (define_type(0)) return -1;}
;
typealias_def : TYPEALIAS identifier alias_def ';'
{if (define_typealias()) return -1;}
;
typeattribute_def : TYPEATTRIBUTE identifier id_comma_list ';'
{if (define_typeattribute()) return -1;}
;
Author: KaiGai Kohei Email: kaigai@ak.jp.nec.com Subject: Thread/Child-Domain Assignment (rev.2) Date: Tue, 05 Aug 2008 14:55:52 +0900 [2/3] thread-context-checkpolicy.2.patch It enables to support TYPEBOUNDS statement and to expand existing hierarchies implicitly. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> -- module_compiler.c | 86 +++++++++++++++++++++++++++++++++++++++++++++++++ policy_define.c | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++++- policy_define.h | 1 policy_parse.y | 5 ++ policy_scan.l | 2 + 5 files changed, 186 insertions(+), 1 deletion(-) Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-10-08 12:56:51 +02:00
typebounds_def : TYPEBOUNDS identifier id_comma_list ';'
{if (define_typebounds()) return -1;}
;
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
opt_attr_list : ',' id_comma_list
|
;
bool_def : BOOL identifier bool_val ';'
checkpolicy: Separate tunable from boolean during compile. Both boolean and tunable keywords are processed by define_bool_tunable(), argument 0 and 1 would be passed for boolean and tunable respectively. For tunable, a TUNABLE flag would be set in cond_bool_datum_t.flags. Note, when creating an if-else conditional we can not know if the tunable identifier is indeed a tunable(for example, a boolean may be misused in tunable_policy() or vice versa), thus the TUNABLE flag for cond_node_t would be calculated and used in expansion when all booleans/tunables copied during link. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-01 05:29:41 +02:00
{ if (define_bool_tunable(0)) return -1; }
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
;
checkpolicy: Separate tunable from boolean during compile. Both boolean and tunable keywords are processed by define_bool_tunable(), argument 0 and 1 would be passed for boolean and tunable respectively. For tunable, a TUNABLE flag would be set in cond_bool_datum_t.flags. Note, when creating an if-else conditional we can not know if the tunable identifier is indeed a tunable(for example, a boolean may be misused in tunable_policy() or vice versa), thus the TUNABLE flag for cond_node_t would be calculated and used in expansion when all booleans/tunables copied during link. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-01 05:29:41 +02:00
tunable_def : TUNABLE identifier bool_val ';'
{ if (define_bool_tunable(1)) return -1; }
;
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
bool_val : CTRUE
{ if (insert_id("T",0)) return -1; }
| CFALSE
{ if (insert_id("F",0)) return -1; }
;
cond_stmt_def : IF cond_expr '{' cond_pol_list '}' cond_else
{ if (pass == 2) { if (define_conditional((cond_expr_t*)$2, (avrule_t*)$4, (avrule_t*)$6) < 0) return -1; }}
;
cond_else : ELSE '{' cond_pol_list '}'
{ $$ = $3; }
| /* empty */
{ $$ = NULL; }
Add missing semicolon to parser rule "cond_else" Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-09-18 15:47:45 +02:00
;
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
cond_expr : '(' cond_expr ')'
{ $$ = $2;}
| NOT cond_expr
{ $$ = define_cond_expr(COND_NOT, $2, 0);
if ($$ == 0) return -1; }
| cond_expr AND cond_expr
{ $$ = define_cond_expr(COND_AND, $1, $3);
if ($$ == 0) return -1; }
| cond_expr OR cond_expr
{ $$ = define_cond_expr(COND_OR, $1, $3);
if ($$ == 0) return -1; }
| cond_expr XOR cond_expr
{ $$ = define_cond_expr(COND_XOR, $1, $3);
if ($$ == 0) return -1; }
| cond_expr EQUALS cond_expr
{ $$ = define_cond_expr(COND_EQ, $1, $3);
if ($$ == 0) return -1; }
| cond_expr NOTEQUAL cond_expr
{ $$ = define_cond_expr(COND_NEQ, $1, $3);
if ($$ == 0) return -1; }
| cond_expr_prim
{ $$ = $1; }
;
cond_expr_prim : identifier
{ $$ = define_cond_expr(COND_BOOL,0, 0);
if ($$ == COND_ERR) return -1; }
;
cond_pol_list : cond_pol_list cond_rule_def
{ $$ = define_cond_pol_list((avrule_t *)$1, (avrule_t *)$2); }
| /* empty */
{ $$ = NULL; }
;
cond_rule_def : cond_transition_def
{ $$ = $1; }
| cond_te_avtab_def
{ $$ = $1; }
| require_block
{ $$ = NULL; }
;
checkpolicy: wrap file names in filename trans with quotes This wraps the filename token in quotes to make parsing easier and more clear. The quotes are stripped off before being passed to checkpolicy. The quote wrapping is only used by filename transitions. This changes the filename transition syntax to the following: type_transition source target : object default_type "filename"; Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-05-16 14:40:00 +02:00
cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
checkpolicy: add support for using last path component in type transition rules This patch adds support for using the last path component as part of the information in making labeling decisions for new objects. A example rule looks like so: type_transition unconfined_t etc_t:file system_conf_t eric; This rule says if unconfined_t creates a file in a directory labeled etc_t and the last path component is "eric" (no globbing, no matching magic, just exact strcmp) it should be labeled system_conf_t. The kernel and policy representation does not have support for such rules in conditionals, and thus policy explicitly notes that fact if such a rule is added to a conditional. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-03-28 20:00:19 +02:00
{ $$ = define_cond_filename_trans() ;
if ($$ == COND_ERR) return -1;}
| TYPE_TRANSITION names names ':' names identifier ';'
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
{ $$ = define_cond_compute_type(AVRULE_TRANSITION) ;
if ($$ == COND_ERR) return -1;}
| TYPE_MEMBER names names ':' names identifier ';'
{ $$ = define_cond_compute_type(AVRULE_MEMBER) ;
if ($$ == COND_ERR) return -1;}
| TYPE_CHANGE names names ':' names identifier ';'
{ $$ = define_cond_compute_type(AVRULE_CHANGE) ;
if ($$ == COND_ERR) return -1;}
;
cond_te_avtab_def : cond_allow_def
{ $$ = $1; }
| cond_auditallow_def
{ $$ = $1; }
| cond_auditdeny_def
{ $$ = $1; }
| cond_dontaudit_def
{ $$ = $1; }
;
cond_allow_def : ALLOW names names ':' names names ';'
{ $$ = define_cond_te_avtab(AVRULE_ALLOWED) ;
if ($$ == COND_ERR) return -1; }
;
cond_auditallow_def : AUDITALLOW names names ':' names names ';'
{ $$ = define_cond_te_avtab(AVRULE_AUDITALLOW) ;
if ($$ == COND_ERR) return -1; }
;
cond_auditdeny_def : AUDITDENY names names ':' names names ';'
{ $$ = define_cond_te_avtab(AVRULE_AUDITDENY) ;
if ($$ == COND_ERR) return -1; }
;
cond_dontaudit_def : DONTAUDIT names names ':' names names ';'
{ $$ = define_cond_te_avtab(AVRULE_DONTAUDIT);
if ($$ == COND_ERR) return -1; }
;
Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules" This reverts commit d72a9ec825ef2a8723510f62292cf2adfd4a2a6c. It should never have been added. It breaks the correct wrapping of filenames in "
2011-11-02 18:03:59 +01:00
;
checkpolicy: wrap file names in filename trans with quotes This wraps the filename token in quotes to make parsing easier and more clear. The quotes are stripped off before being passed to checkpolicy. The quote wrapping is only used by filename transitions. This changes the filename transition syntax to the following: type_transition source target : object default_type "filename"; Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-05-16 14:40:00 +02:00
transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
Revert "checkpolicy: use a better identifier for filenames" This reverts commit d4c230386653db49d8e8116b603efcce4423df70. Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-05-16 14:38:37 +02:00
{if (define_filename_trans()) return -1; }
| TYPE_TRANSITION names names ':' names identifier ';'
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
{if (define_compute_type(AVRULE_TRANSITION)) return -1;}
| TYPE_MEMBER names names ':' names identifier ';'
{if (define_compute_type(AVRULE_MEMBER)) return -1;}
| TYPE_CHANGE names names ':' names identifier ';'
{if (define_compute_type(AVRULE_CHANGE)) return -1;}
;
range_trans_def : RANGE_TRANSITION names names mls_range_def ';'
{ if (define_range_trans(0)) return -1; }
| RANGE_TRANSITION names names ':' names mls_range_def ';'
{ if (define_range_trans(1)) return -1; }
;
te_avtab_def : allow_def
| auditallow_def
| auditdeny_def
| dontaudit_def
| neverallow_def
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-12 18:01:12 +02:00
| xperm_allow_def
| xperm_auditallow_def
| xperm_dontaudit_def
Add neverallow support for ioctl extended permissions Neverallow rules for ioctl extended permissions will pass in two cases: 1. If extended permissions exist for the source-target-class set the test will pass if the neverallow values are excluded. 2. If extended permissions do not exist for the source-target-class set the test will pass if the ioctl permission is not granted. Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Nick Kralevich <nnk@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-09-18 21:57:56 +02:00
| xperm_neverallow_def
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
;
allow_def : ALLOW names names ':' names names ';'
{if (define_te_avtab(AVRULE_ALLOWED)) return -1; }
;
auditallow_def : AUDITALLOW names names ':' names names ';'
{if (define_te_avtab(AVRULE_AUDITALLOW)) return -1; }
;
auditdeny_def : AUDITDENY names names ':' names names ';'
{if (define_te_avtab(AVRULE_AUDITDENY)) return -1; }
;
dontaudit_def : DONTAUDIT names names ':' names names ';'
{if (define_te_avtab(AVRULE_DONTAUDIT)) return -1; }
;
neverallow_def : NEVERALLOW names names ':' names names ';'
{if (define_te_avtab(AVRULE_NEVERALLOW)) return -1; }
;
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-12 18:01:12 +02:00
xperm_allow_def : ALLOWXPERM names names ':' names identifier xperms ';'
{if (define_te_avtab_extended_perms(AVRULE_XPERMS_ALLOWED)) return -1; }
Add support for ioctl command whitelisting Adds support for new policy statements whitelisting individual ioctl commands. Ioctls provide many of the operations necessary for driver control. The typical driver supports a device specific set of operations accessible by the ioctl system call and specified by the command argument. SELinux provides per operation access control to many system operations e.g. chown, kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per file descriptor basis using the ioctl permission, meaning that the set of operations provided by the driver are granted on an all-or-nothing basis. In some cases this may be acceptable, but often the same driver provides a large and diverse set of operations such as benign and necessary functionality as well as dangerous capabilities or access to system information that should be restricted. Example policy: allow <source> <target>:<class> { 0x8900-0x8905 0x8910 } auditallow <source> <target>:<class> 0x8901 The ioctl permission is still required in order to make an ioctl call. If no individual ioctl commands are specified, only the ioctl permission is checked by the kernel - i.e. status quo. This allows ioctl whitelisting to done in a targeted manner, protecting desired drivers without requiring every ioctl command to be known and specified before use and otherwise allowing existing policy to be used as-is. This only implements ioctl whitelisting support for monolithic kernel policies built via checkpolicy. Support for modules and CIL remains to be done. Bug: 19419509 Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970 Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-22 22:53:25 +02:00
;
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-12 18:01:12 +02:00
xperm_auditallow_def : AUDITALLOWXPERM names names ':' names identifier xperms ';'
{if (define_te_avtab_extended_perms(AVRULE_XPERMS_AUDITALLOW)) return -1; }
Add support for ioctl command whitelisting Adds support for new policy statements whitelisting individual ioctl commands. Ioctls provide many of the operations necessary for driver control. The typical driver supports a device specific set of operations accessible by the ioctl system call and specified by the command argument. SELinux provides per operation access control to many system operations e.g. chown, kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per file descriptor basis using the ioctl permission, meaning that the set of operations provided by the driver are granted on an all-or-nothing basis. In some cases this may be acceptable, but often the same driver provides a large and diverse set of operations such as benign and necessary functionality as well as dangerous capabilities or access to system information that should be restricted. Example policy: allow <source> <target>:<class> { 0x8900-0x8905 0x8910 } auditallow <source> <target>:<class> 0x8901 The ioctl permission is still required in order to make an ioctl call. If no individual ioctl commands are specified, only the ioctl permission is checked by the kernel - i.e. status quo. This allows ioctl whitelisting to done in a targeted manner, protecting desired drivers without requiring every ioctl command to be known and specified before use and otherwise allowing existing policy to be used as-is. This only implements ioctl whitelisting support for monolithic kernel policies built via checkpolicy. Support for modules and CIL remains to be done. Bug: 19419509 Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970 Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-22 22:53:25 +02:00
;
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-12 18:01:12 +02:00
xperm_dontaudit_def : DONTAUDITXPERM names names ':' names identifier xperms ';'
{if (define_te_avtab_extended_perms(AVRULE_XPERMS_DONTAUDIT)) return -1; }
Add support for ioctl command whitelisting Adds support for new policy statements whitelisting individual ioctl commands. Ioctls provide many of the operations necessary for driver control. The typical driver supports a device specific set of operations accessible by the ioctl system call and specified by the command argument. SELinux provides per operation access control to many system operations e.g. chown, kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per file descriptor basis using the ioctl permission, meaning that the set of operations provided by the driver are granted on an all-or-nothing basis. In some cases this may be acceptable, but often the same driver provides a large and diverse set of operations such as benign and necessary functionality as well as dangerous capabilities or access to system information that should be restricted. Example policy: allow <source> <target>:<class> { 0x8900-0x8905 0x8910 } auditallow <source> <target>:<class> 0x8901 The ioctl permission is still required in order to make an ioctl call. If no individual ioctl commands are specified, only the ioctl permission is checked by the kernel - i.e. status quo. This allows ioctl whitelisting to done in a targeted manner, protecting desired drivers without requiring every ioctl command to be known and specified before use and otherwise allowing existing policy to be used as-is. This only implements ioctl whitelisting support for monolithic kernel policies built via checkpolicy. Support for modules and CIL remains to be done. Bug: 19419509 Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970 Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-22 22:53:25 +02:00
;
Add neverallow support for ioctl extended permissions Neverallow rules for ioctl extended permissions will pass in two cases: 1. If extended permissions exist for the source-target-class set the test will pass if the neverallow values are excluded. 2. If extended permissions do not exist for the source-target-class set the test will pass if the ioctl permission is not granted. Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Nick Kralevich <nnk@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-09-18 21:57:56 +02:00
xperm_neverallow_def : NEVERALLOWXPERM names names ':' names identifier xperms ';'
{if (define_te_avtab_extended_perms(AVRULE_XPERMS_NEVERALLOW)) return -1; }
;
Add role attribute support when compiling modules. 1. Add a uint32_t "flavor" field and an ebitmap "roles" to the role_datum_t structure; 2. Add a new "attribute_role" statement and its handler to declare a role attribute; 3. Modify declare_role() to setup role_datum_t.flavor according to the isattr argument; 4. Add a new "roleattribute" rule and its handler, which will record the regular role's (policy value - 1) into the role attribute's role_datum_t.roles ebitmap; 5. Modify the syntax for the role-types rule only to define the role-type associations; 6. Add a new role-attr rule to support the declaration of a single role, and optionally the role attribute that the role belongs to; 7. Check if the new_role used in role-transition rule is a regular role; 8. Support to require a role attribute; 9. Modify symtab_insert() to allow multiple declarations only for the regular role, while a role attribute can't be declared more than once and can't share a same name with another regular role. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-07-25 03:23:54 +02:00
attribute_role_def : ATTRIBUTE_ROLE identifier ';'
{if (define_attrib_role()) return -1; }
checkpolicy: add missing ; to attribute_role_def The commit to add role attributes forgot a ; in policy_parse.y for attribute_role_def. Add the missing ; Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-09 16:28:38 +02:00
;
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
role_type_def : ROLE identifier TYPES names ';'
{if (define_role_types()) return -1;}
Add role attribute support when compiling modules. 1. Add a uint32_t "flavor" field and an ebitmap "roles" to the role_datum_t structure; 2. Add a new "attribute_role" statement and its handler to declare a role attribute; 3. Modify declare_role() to setup role_datum_t.flavor according to the isattr argument; 4. Add a new "roleattribute" rule and its handler, which will record the regular role's (policy value - 1) into the role attribute's role_datum_t.roles ebitmap; 5. Modify the syntax for the role-types rule only to define the role-type associations; 6. Add a new role-attr rule to support the declaration of a single role, and optionally the role attribute that the role belongs to; 7. Check if the new_role used in role-transition rule is a regular role; 8. Support to require a role attribute; 9. Modify symtab_insert() to allow multiple declarations only for the regular role, while a role attribute can't be declared more than once and can't share a same name with another regular role. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-07-25 03:23:54 +02:00
;
role_attr_def : ROLE identifier opt_attr_list ';'
{if (define_role_attr()) return -1;}
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
;
role_dominance : DOMINANCE '{' roles '}'
;
role_trans_def : ROLE_TRANSITION names names identifier ';'
Userspace: role_transition parser to handle class field Handle the class field in the role_transition rule. If no class is specified, then it would be set to the "process" class by default. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-03-25 06:51:59 +01:00
{if (define_role_trans(0)) return -1; }
| ROLE_TRANSITION names names ':' names identifier ';'
{if (define_role_trans(1)) return -1;}
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
;
role_allow_def : ALLOW names names ';'
{if (define_role_allow()) return -1; }
;
roles : role_def
{ $$ = $1; }
| roles role_def
{ $$ = merge_roles_dom((role_datum_t*)$1, (role_datum_t*)$2); if ($$ == 0) return -1;}
;
role_def : ROLE identifier_push ';'
{$$ = define_role_dom(NULL); if ($$ == 0) return -1;}
| ROLE identifier_push '{' roles '}'
{$$ = define_role_dom((role_datum_t*)$4); if ($$ == 0) return -1;}
;
Add role attribute support when compiling modules. 1. Add a uint32_t "flavor" field and an ebitmap "roles" to the role_datum_t structure; 2. Add a new "attribute_role" statement and its handler to declare a role attribute; 3. Modify declare_role() to setup role_datum_t.flavor according to the isattr argument; 4. Add a new "roleattribute" rule and its handler, which will record the regular role's (policy value - 1) into the role attribute's role_datum_t.roles ebitmap; 5. Modify the syntax for the role-types rule only to define the role-type associations; 6. Add a new role-attr rule to support the declaration of a single role, and optionally the role attribute that the role belongs to; 7. Check if the new_role used in role-transition rule is a regular role; 8. Support to require a role attribute; 9. Modify symtab_insert() to allow multiple declarations only for the regular role, while a role attribute can't be declared more than once and can't share a same name with another regular role. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-07-25 03:23:54 +02:00
roleattribute_def : ROLEATTRIBUTE identifier id_comma_list ';'
{if (define_roleattribute()) return -1;}
;
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
opt_constraints : constraints
|
;
constraints : constraint_decl
| constraints constraint_decl
;
constraint_decl : constraint_def
| validatetrans_def
;
constraint_def : CONSTRAIN names names cexpr ';'
{ if (define_constraint((constraint_expr_t*)$4)) return -1; }
;
validatetrans_def : VALIDATETRANS names cexpr ';'
{ if (define_validatetrans((constraint_expr_t*)$3)) return -1; }
;
cexpr : '(' cexpr ')'
{ $$ = $2; }
| NOT cexpr
{ $$ = define_cexpr(CEXPR_NOT, $2, 0);
if ($$ == 0) return -1; }
| cexpr AND cexpr
{ $$ = define_cexpr(CEXPR_AND, $1, $3);
if ($$ == 0) return -1; }
| cexpr OR cexpr
{ $$ = define_cexpr(CEXPR_OR, $1, $3);
if ($$ == 0) return -1; }
| cexpr_prim
{ $$ = $1; }
;
cexpr_prim : U1 op U2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, $2);
if ($$ == 0) return -1; }
| R1 role_mls_op R2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2);
if ($$ == 0) return -1; }
| T1 op T2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2);
if ($$ == 0) return -1; }
| U1 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2);
if ($$ == 0) return -1; }
| U2 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2);
if ($$ == 0) return -1; }
| U3 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2);
if ($$ == 0) return -1; }
| R1 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, $2);
if ($$ == 0) return -1; }
| R2 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), $2);
if ($$ == 0) return -1; }
| R3 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_XTARGET), $2);
if ($$ == 0) return -1; }
| T1 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, $2);
if ($$ == 0) return -1; }
| T2 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), $2);
if ($$ == 0) return -1; }
| T3 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_XTARGET), $2);
if ($$ == 0) return -1; }
| SAMEUSER
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, CEXPR_EQ);
if ($$ == 0) return -1; }
| SOURCE ROLE { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, CEXPR_EQ);
if ($$ == 0) return -1; }
| TARGET ROLE { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), CEXPR_EQ);
if ($$ == 0) return -1; }
| ROLE role_mls_op
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2);
if ($$ == 0) return -1; }
| SOURCE TYPE { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, CEXPR_EQ);
if ($$ == 0) return -1; }
| TARGET TYPE { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), CEXPR_EQ);
if ($$ == 0) return -1; }
| L1 role_mls_op L2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1L2, $2);
if ($$ == 0) return -1; }
| L1 role_mls_op H2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H2, $2);
if ($$ == 0) return -1; }
| H1 role_mls_op L2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1L2, $2);
if ($$ == 0) return -1; }
| H1 role_mls_op H2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1H2, $2);
if ($$ == 0) return -1; }
| L1 role_mls_op H1
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H1, $2);
if ($$ == 0) return -1; }
| L2 role_mls_op H2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_L2H2, $2);
if ($$ == 0) return -1; }
;
op : EQUALS
{ $$ = CEXPR_EQ; }
| NOTEQUAL
{ $$ = CEXPR_NEQ; }
;
role_mls_op : op
{ $$ = $1; }
| DOM
{ $$ = CEXPR_DOM; }
| DOMBY
{ $$ = CEXPR_DOMBY; }
| INCOMP
{ $$ = CEXPR_INCOMP; }
;
users : user_def
| users user_def
;
user_def : USER identifier ROLES names opt_mls_user ';'
{if (define_user()) return -1;}
;
opt_mls_user : LEVEL mls_level_def RANGE mls_range_def
|
;
initial_sid_contexts : initial_sid_context_def
| initial_sid_contexts initial_sid_context_def
;
initial_sid_context_def : SID identifier security_context_def
{if (define_initial_sid_context()) return -1;}
;
checkpolicy: Add support for multiple target OSes Updated patch of checkpolicy based on input. On Tue, 2009-09-15 at 12:37 -0400, pjnuzzi wrote: > Add support for multiple target OSes by adding the -t target option to > checkpolicy. Implemented the new Xen ocontext identifiers pirqcon, > pcidevicecon, iomemcon and ioportcon. > > Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> > > --- checkpolicy/checkpolicy.c | 20 ++- checkpolicy/policy_define.c | 272 ++++++++++++++++++++++++++++++++++++++++++++ checkpolicy/policy_define.h | 4 checkpolicy/policy_parse.y | 29 ++++ checkpolicy/policy_scan.l | 10 + 5 files changed, 330 insertions(+), 5 deletions(-) Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-09-29 16:06:26 +02:00
opt_dev_contexts : dev_contexts |
;
dev_contexts : dev_context_def
| dev_contexts dev_context_def
;
dev_context_def : pirq_context_def |
iomem_context_def |
ioport_context_def |
libsepol, checkpolicy: add device tree ocontext nodes to Xen policy In Xen on ARM, device tree nodes identified by a path (string) need to be labeled by the security policy. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-17 21:43:24 +01:00
pci_context_def |
dtree_context_def
checkpolicy: Add support for multiple target OSes Updated patch of checkpolicy based on input. On Tue, 2009-09-15 at 12:37 -0400, pjnuzzi wrote: > Add support for multiple target OSes by adding the -t target option to > checkpolicy. Implemented the new Xen ocontext identifiers pirqcon, > pcidevicecon, iomemcon and ioportcon. > > Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> > > --- checkpolicy/checkpolicy.c | 20 ++- checkpolicy/policy_define.c | 272 ++++++++++++++++++++++++++++++++++++++++++++ checkpolicy/policy_define.h | 4 checkpolicy/policy_parse.y | 29 ++++ checkpolicy/policy_scan.l | 10 + 5 files changed, 330 insertions(+), 5 deletions(-) Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-09-29 16:06:26 +02:00
;
pirq_context_def : PIRQCON number security_context_def
{if (define_pirq_context($2)) return -1;}
;
libsepol, checkpolicy: widen Xen IOMEM ocontext entries This expands IOMEMCON device context entries to 64 bits. This change is required to support static I/O memory range labeling for systems with over 16TB of physical address space. The policy version number change is shared with the next patch. While this makes no changes to SELinux policy, a new SELinux policy compatibility entry was added in order to avoid breaking compilation of an SELinux policy without explicitly specifying the policy version. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-17 21:43:23 +01:00
iomem_context_def : IOMEMCON number64 security_context_def
checkpolicy: Add support for multiple target OSes Updated patch of checkpolicy based on input. On Tue, 2009-09-15 at 12:37 -0400, pjnuzzi wrote: > Add support for multiple target OSes by adding the -t target option to > checkpolicy. Implemented the new Xen ocontext identifiers pirqcon, > pcidevicecon, iomemcon and ioportcon. > > Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> > > --- checkpolicy/checkpolicy.c | 20 ++- checkpolicy/policy_define.c | 272 ++++++++++++++++++++++++++++++++++++++++++++ checkpolicy/policy_define.h | 4 checkpolicy/policy_parse.y | 29 ++++ checkpolicy/policy_scan.l | 10 + 5 files changed, 330 insertions(+), 5 deletions(-) Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-09-29 16:06:26 +02:00
{if (define_iomem_context($2,$2)) return -1;}
libsepol, checkpolicy: widen Xen IOMEM ocontext entries This expands IOMEMCON device context entries to 64 bits. This change is required to support static I/O memory range labeling for systems with over 16TB of physical address space. The policy version number change is shared with the next patch. While this makes no changes to SELinux policy, a new SELinux policy compatibility entry was added in order to avoid breaking compilation of an SELinux policy without explicitly specifying the policy version. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-17 21:43:23 +01:00
| IOMEMCON number64 '-' number64 security_context_def
checkpolicy: Add support for multiple target OSes Updated patch of checkpolicy based on input. On Tue, 2009-09-15 at 12:37 -0400, pjnuzzi wrote: > Add support for multiple target OSes by adding the -t target option to > checkpolicy. Implemented the new Xen ocontext identifiers pirqcon, > pcidevicecon, iomemcon and ioportcon. > > Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> > > --- checkpolicy/checkpolicy.c | 20 ++- checkpolicy/policy_define.c | 272 ++++++++++++++++++++++++++++++++++++++++++++ checkpolicy/policy_define.h | 4 checkpolicy/policy_parse.y | 29 ++++ checkpolicy/policy_scan.l | 10 + 5 files changed, 330 insertions(+), 5 deletions(-) Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-09-29 16:06:26 +02:00
{if (define_iomem_context($2,$4)) return -1;}
;
ioport_context_def : IOPORTCON number security_context_def
{if (define_ioport_context($2,$2)) return -1;}
| IOPORTCON number '-' number security_context_def
{if (define_ioport_context($2,$4)) return -1;}
;
pci_context_def : PCIDEVICECON number security_context_def
{if (define_pcidevice_context($2)) return -1;}
;
libsepol, checkpolicy: add device tree ocontext nodes to Xen policy In Xen on ARM, device tree nodes identified by a path (string) need to be labeled by the security policy. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-17 21:43:24 +01:00
dtree_context_def : DEVICETREECON path security_context_def
{if (define_devicetree_context()) return -1;}
;
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
opt_fs_contexts : fs_contexts
|
;
fs_contexts : fs_context_def
| fs_contexts fs_context_def
;
fs_context_def : FSCON number number security_context_def security_context_def
{if (define_fs_context($2,$3)) return -1;}
;
net_contexts : opt_port_contexts opt_netif_contexts opt_node_contexts
;
opt_port_contexts : port_contexts
|
;
port_contexts : port_context_def
| port_contexts port_context_def
;
port_context_def : PORTCON identifier number security_context_def
{if (define_port_context($3,$3)) return -1;}
| PORTCON identifier number '-' number security_context_def
{if (define_port_context($3,$5)) return -1;}
;
opt_netif_contexts : netif_contexts
|
;
netif_contexts : netif_context_def
| netif_contexts netif_context_def
;
netif_context_def : NETIFCON identifier security_context_def security_context_def
{if (define_netif_context()) return -1;}
;
opt_node_contexts : node_contexts
|
;
node_contexts : node_context_def
| node_contexts node_context_def
;
node_context_def : NODECON ipv4_addr_def ipv4_addr_def security_context_def
{if (define_ipv4_node_context()) return -1;}
| NODECON ipv6_addr ipv6_addr security_context_def
{if (define_ipv6_node_context()) return -1;}
;
opt_fs_uses : fs_uses
|
;
fs_uses : fs_use_def
| fs_uses fs_use_def
;
Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules" This reverts commit d72a9ec825ef2a8723510f62292cf2adfd4a2a6c. It should never have been added. It breaks the correct wrapping of filenames in "
2011-11-02 18:03:59 +01:00
fs_use_def : FSUSEXATTR filesystem security_context_def ';'
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
{if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;}
| FSUSETASK identifier security_context_def ';'
{if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;}
| FSUSETRANS identifier security_context_def ';'
{if (define_fs_use(SECURITY_FS_USE_TRANS)) return -1;}
;
opt_genfs_contexts : genfs_contexts
|
;
genfs_contexts : genfs_context_def
| genfs_contexts genfs_context_def
;
Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules" This reverts commit d72a9ec825ef2a8723510f62292cf2adfd4a2a6c. It should never have been added. It breaks the correct wrapping of filenames in "
2011-11-02 18:03:59 +01:00
genfs_context_def : GENFSCON filesystem path '-' identifier security_context_def
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
{if (define_genfs_context(1)) return -1;}
Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules" This reverts commit d72a9ec825ef2a8723510f62292cf2adfd4a2a6c. It should never have been added. It breaks the correct wrapping of filenames in "
2011-11-02 18:03:59 +01:00
| GENFSCON filesystem path '-' '-' {insert_id("-", 0);} security_context_def
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
{if (define_genfs_context(1)) return -1;}
Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules" This reverts commit d72a9ec825ef2a8723510f62292cf2adfd4a2a6c. It should never have been added. It breaks the correct wrapping of filenames in "
2011-11-02 18:03:59 +01:00
| GENFSCON filesystem path security_context_def
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
{if (define_genfs_context(0)) return -1;}
;
ipv4_addr_def : IPV4_ADDR
{ if (insert_id(yytext,0)) return -1; }
;
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-12 18:01:12 +02:00
xperms : xperm
Add support for ioctl command whitelisting Adds support for new policy statements whitelisting individual ioctl commands. Ioctls provide many of the operations necessary for driver control. The typical driver supports a device specific set of operations accessible by the ioctl system call and specified by the command argument. SELinux provides per operation access control to many system operations e.g. chown, kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per file descriptor basis using the ioctl permission, meaning that the set of operations provided by the driver are granted on an all-or-nothing basis. In some cases this may be acceptable, but often the same driver provides a large and diverse set of operations such as benign and necessary functionality as well as dangerous capabilities or access to system information that should be restricted. Example policy: allow <source> <target>:<class> { 0x8900-0x8905 0x8910 } auditallow <source> <target>:<class> 0x8901 The ioctl permission is still required in order to make an ioctl call. If no individual ioctl commands are specified, only the ioctl permission is checked by the kernel - i.e. status quo. This allows ioctl whitelisting to done in a targeted manner, protecting desired drivers without requiring every ioctl command to be known and specified before use and otherwise allowing existing policy to be used as-is. This only implements ioctl whitelisting support for monolithic kernel policies built via checkpolicy. Support for modules and CIL remains to be done. Bug: 19419509 Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970 Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-22 22:53:25 +02:00
{ if (insert_separator(0)) return -1; }
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-12 18:01:12 +02:00
| nested_xperm_set
Add support for ioctl command whitelisting Adds support for new policy statements whitelisting individual ioctl commands. Ioctls provide many of the operations necessary for driver control. The typical driver supports a device specific set of operations accessible by the ioctl system call and specified by the command argument. SELinux provides per operation access control to many system operations e.g. chown, kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per file descriptor basis using the ioctl permission, meaning that the set of operations provided by the driver are granted on an all-or-nothing basis. In some cases this may be acceptable, but often the same driver provides a large and diverse set of operations such as benign and necessary functionality as well as dangerous capabilities or access to system information that should be restricted. Example policy: allow <source> <target>:<class> { 0x8900-0x8905 0x8910 } auditallow <source> <target>:<class> 0x8901 The ioctl permission is still required in order to make an ioctl call. If no individual ioctl commands are specified, only the ioctl permission is checked by the kernel - i.e. status quo. This allows ioctl whitelisting to done in a targeted manner, protecting desired drivers without requiring every ioctl command to be known and specified before use and otherwise allowing existing policy to be used as-is. This only implements ioctl whitelisting support for monolithic kernel policies built via checkpolicy. Support for modules and CIL remains to be done. Bug: 19419509 Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970 Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-22 22:53:25 +02:00
{ if (insert_separator(0)) return -1; }
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-12 18:01:12 +02:00
| tilde xperm
Add support for ioctl command whitelisting Adds support for new policy statements whitelisting individual ioctl commands. Ioctls provide many of the operations necessary for driver control. The typical driver supports a device specific set of operations accessible by the ioctl system call and specified by the command argument. SELinux provides per operation access control to many system operations e.g. chown, kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per file descriptor basis using the ioctl permission, meaning that the set of operations provided by the driver are granted on an all-or-nothing basis. In some cases this may be acceptable, but often the same driver provides a large and diverse set of operations such as benign and necessary functionality as well as dangerous capabilities or access to system information that should be restricted. Example policy: allow <source> <target>:<class> { 0x8900-0x8905 0x8910 } auditallow <source> <target>:<class> 0x8901 The ioctl permission is still required in order to make an ioctl call. If no individual ioctl commands are specified, only the ioctl permission is checked by the kernel - i.e. status quo. This allows ioctl whitelisting to done in a targeted manner, protecting desired drivers without requiring every ioctl command to be known and specified before use and otherwise allowing existing policy to be used as-is. This only implements ioctl whitelisting support for monolithic kernel policies built via checkpolicy. Support for modules and CIL remains to be done. Bug: 19419509 Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970 Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-22 22:53:25 +02:00
{ if (insert_id("~", 0)) return -1; }
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-12 18:01:12 +02:00
| tilde nested_xperm_set
Add support for ioctl command whitelisting Adds support for new policy statements whitelisting individual ioctl commands. Ioctls provide many of the operations necessary for driver control. The typical driver supports a device specific set of operations accessible by the ioctl system call and specified by the command argument. SELinux provides per operation access control to many system operations e.g. chown, kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per file descriptor basis using the ioctl permission, meaning that the set of operations provided by the driver are granted on an all-or-nothing basis. In some cases this may be acceptable, but often the same driver provides a large and diverse set of operations such as benign and necessary functionality as well as dangerous capabilities or access to system information that should be restricted. Example policy: allow <source> <target>:<class> { 0x8900-0x8905 0x8910 } auditallow <source> <target>:<class> 0x8901 The ioctl permission is still required in order to make an ioctl call. If no individual ioctl commands are specified, only the ioctl permission is checked by the kernel - i.e. status quo. This allows ioctl whitelisting to done in a targeted manner, protecting desired drivers without requiring every ioctl command to be known and specified before use and otherwise allowing existing policy to be used as-is. This only implements ioctl whitelisting support for monolithic kernel policies built via checkpolicy. Support for modules and CIL remains to be done. Bug: 19419509 Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970 Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-22 22:53:25 +02:00
{ if (insert_id("~", 0)) return -1;
if (insert_separator(0)) return -1; }
;
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-12 18:01:12 +02:00
nested_xperm_set : '{' nested_xperm_list '}'
Add support for ioctl command whitelisting Adds support for new policy statements whitelisting individual ioctl commands. Ioctls provide many of the operations necessary for driver control. The typical driver supports a device specific set of operations accessible by the ioctl system call and specified by the command argument. SELinux provides per operation access control to many system operations e.g. chown, kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per file descriptor basis using the ioctl permission, meaning that the set of operations provided by the driver are granted on an all-or-nothing basis. In some cases this may be acceptable, but often the same driver provides a large and diverse set of operations such as benign and necessary functionality as well as dangerous capabilities or access to system information that should be restricted. Example policy: allow <source> <target>:<class> { 0x8900-0x8905 0x8910 } auditallow <source> <target>:<class> 0x8901 The ioctl permission is still required in order to make an ioctl call. If no individual ioctl commands are specified, only the ioctl permission is checked by the kernel - i.e. status quo. This allows ioctl whitelisting to done in a targeted manner, protecting desired drivers without requiring every ioctl command to be known and specified before use and otherwise allowing existing policy to be used as-is. This only implements ioctl whitelisting support for monolithic kernel policies built via checkpolicy. Support for modules and CIL remains to be done. Bug: 19419509 Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970 Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-22 22:53:25 +02:00
;
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-12 18:01:12 +02:00
nested_xperm_list : nested_xperm_element
| nested_xperm_list nested_xperm_element
Add support for ioctl command whitelisting Adds support for new policy statements whitelisting individual ioctl commands. Ioctls provide many of the operations necessary for driver control. The typical driver supports a device specific set of operations accessible by the ioctl system call and specified by the command argument. SELinux provides per operation access control to many system operations e.g. chown, kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per file descriptor basis using the ioctl permission, meaning that the set of operations provided by the driver are granted on an all-or-nothing basis. In some cases this may be acceptable, but often the same driver provides a large and diverse set of operations such as benign and necessary functionality as well as dangerous capabilities or access to system information that should be restricted. Example policy: allow <source> <target>:<class> { 0x8900-0x8905 0x8910 } auditallow <source> <target>:<class> 0x8901 The ioctl permission is still required in order to make an ioctl call. If no individual ioctl commands are specified, only the ioctl permission is checked by the kernel - i.e. status quo. This allows ioctl whitelisting to done in a targeted manner, protecting desired drivers without requiring every ioctl command to be known and specified before use and otherwise allowing existing policy to be used as-is. This only implements ioctl whitelisting support for monolithic kernel policies built via checkpolicy. Support for modules and CIL remains to be done. Bug: 19419509 Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970 Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-22 22:53:25 +02:00
;
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-12 18:01:12 +02:00
nested_xperm_element: xperm '-' { if (insert_id("-", 0)) return -1; } xperm
| xperm
| nested_xperm_set
Add support for ioctl command whitelisting Adds support for new policy statements whitelisting individual ioctl commands. Ioctls provide many of the operations necessary for driver control. The typical driver supports a device specific set of operations accessible by the ioctl system call and specified by the command argument. SELinux provides per operation access control to many system operations e.g. chown, kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per file descriptor basis using the ioctl permission, meaning that the set of operations provided by the driver are granted on an all-or-nothing basis. In some cases this may be acceptable, but often the same driver provides a large and diverse set of operations such as benign and necessary functionality as well as dangerous capabilities or access to system information that should be restricted. Example policy: allow <source> <target>:<class> { 0x8900-0x8905 0x8910 } auditallow <source> <target>:<class> 0x8901 The ioctl permission is still required in order to make an ioctl call. If no individual ioctl commands are specified, only the ioctl permission is checked by the kernel - i.e. status quo. This allows ioctl whitelisting to done in a targeted manner, protecting desired drivers without requiring every ioctl command to be known and specified before use and otherwise allowing existing policy to be used as-is. This only implements ioctl whitelisting support for monolithic kernel policies built via checkpolicy. Support for modules and CIL remains to be done. Bug: 19419509 Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970 Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-22 22:53:25 +02:00
;
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-12 18:01:12 +02:00
xperm : number
Add support for ioctl command whitelisting Adds support for new policy statements whitelisting individual ioctl commands. Ioctls provide many of the operations necessary for driver control. The typical driver supports a device specific set of operations accessible by the ioctl system call and specified by the command argument. SELinux provides per operation access control to many system operations e.g. chown, kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per file descriptor basis using the ioctl permission, meaning that the set of operations provided by the driver are granted on an all-or-nothing basis. In some cases this may be acceptable, but often the same driver provides a large and diverse set of operations such as benign and necessary functionality as well as dangerous capabilities or access to system information that should be restricted. Example policy: allow <source> <target>:<class> { 0x8900-0x8905 0x8910 } auditallow <source> <target>:<class> 0x8901 The ioctl permission is still required in order to make an ioctl call. If no individual ioctl commands are specified, only the ioctl permission is checked by the kernel - i.e. status quo. This allows ioctl whitelisting to done in a targeted manner, protecting desired drivers without requiring every ioctl command to be known and specified before use and otherwise allowing existing policy to be used as-is. This only implements ioctl whitelisting support for monolithic kernel policies built via checkpolicy. Support for modules and CIL remains to be done. Bug: 19419509 Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970 Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-22 22:53:25 +02:00
{ if (insert_id(yytext,0)) return -1; }
;
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def
;
opt_mls_range_def : ':' mls_range_def
|
;
mls_range_def : mls_level_def '-' mls_level_def
{if (insert_separator(0)) return -1;}
| mls_level_def
{if (insert_separator(0)) return -1;}
;
mls_level_def : identifier ':' id_comma_list
{if (insert_separator(0)) return -1;}
| identifier
{if (insert_separator(0)) return -1;}
;
id_comma_list : identifier
| id_comma_list ',' identifier
;
tilde : '~'
;
asterisk : '*'
;
names : identifier
{ if (insert_separator(0)) return -1; }
| nested_id_set
{ if (insert_separator(0)) return -1; }
| asterisk
{ if (insert_id("*", 0)) return -1;
if (insert_separator(0)) return -1; }
| tilde identifier
{ if (insert_id("~", 0)) return -1;
if (insert_separator(0)) return -1; }
| tilde nested_id_set
{ if (insert_id("~", 0)) return -1;
if (insert_separator(0)) return -1; }
| identifier '-' { if (insert_id("-", 0)) return -1; } identifier
{ if (insert_separator(0)) return -1; }
;
tilde_push : tilde
{ if (insert_id("~", 1)) return -1; }
;
asterisk_push : asterisk
{ if (insert_id("*", 1)) return -1; }
;
names_push : identifier_push
| '{' identifier_list_push '}'
| asterisk_push
| tilde_push identifier_push
| tilde_push '{' identifier_list_push '}'
;
identifier_list_push : identifier_push
| identifier_list_push identifier_push
;
identifier_push : IDENTIFIER
{ if (insert_id(yytext, 1)) return -1; }
;
identifier_list : identifier
| identifier_list identifier
;
nested_id_set : '{' nested_id_list '}'
;
nested_id_list : nested_id_element | nested_id_list nested_id_element
;
nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; } identifier | nested_id_set
;
identifier : IDENTIFIER
{ if (insert_id(yytext,0)) return -1; }
;
Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules" This reverts commit d72a9ec825ef2a8723510f62292cf2adfd4a2a6c. It should never have been added. It breaks the correct wrapping of filenames in "
2011-11-02 18:03:59 +01:00
filesystem : FILESYSTEM
{ if (insert_id(yytext,0)) return -1; }
checkpolicy: Redo filename/filesystem syntax to support filename trans rules In order to support filenames, which might start with "." or filesystems that start with a number we need to rework the matching rules a little bit. Since the new filename rule is so permissive it must be moved to the bottom of the matching list to not cover other definitions. Signed-of-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-04-12 15:54:46 +02:00
| IDENTIFIER
{ if (insert_id(yytext,0)) return -1; }
;
Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules" This reverts commit d72a9ec825ef2a8723510f62292cf2adfd4a2a6c. It should never have been added. It breaks the correct wrapping of filenames in "
2011-11-02 18:03:59 +01:00
path : PATH
{ if (insert_id(yytext,0)) return -1; }
checkpolicy: Expand allowed character set in paths In order to support paths containing spaces or other characters, allow a quoted string with these characters to be parsed as a path in addition to the existing unquoted string. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-17 21:43:22 +01:00
| QPATH
{ yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; }
Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules" This reverts commit d72a9ec825ef2a8723510f62292cf2adfd4a2a6c. It should never have been added. It breaks the correct wrapping of filenames in "
2011-11-02 18:03:59 +01:00
;
filename : FILENAME
{ yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; }
;
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
number : NUMBER
{ $$ = strtoul(yytext,NULL,0); }
;
libsepol, checkpolicy: widen Xen IOMEM ocontext entries This expands IOMEMCON device context entries to 64 bits. This change is required to support static I/O memory range labeling for systems with over 16TB of physical address space. The policy version number change is shared with the next patch. While this makes no changes to SELinux policy, a new SELinux policy compatibility entry was added in order to avoid breaking compilation of an SELinux policy without explicitly specifying the policy version. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-17 21:43:23 +01:00
number64 : NUMBER
{ $$ = strtoull(yytext,NULL,0); }
;
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
ipv6_addr : IPV6_ADDR
{ if (insert_id(yytext,0)) return -1; }
;
policycap_def : POLICYCAP identifier ';'
{if (define_polcap()) return -1;}
;
permissive_def : PERMISSIVE identifier ';'
{if (define_permissive()) return -1;}
/*********** module grammar below ***********/
module_policy : module_def avrules_block
{ if (end_avrule_block(pass) == -1) return -1;
if (policydb_index_others(NULL, policydbp, 0)) return -1;
}
;
module_def : MODULE identifier version_identifier ';'
{ if (define_policy(pass, 1) == -1) return -1; }
;
version_identifier : VERSION_IDENTIFIER
checkpolicy: allow version of single digit currently policy will not build if I define a module as 1 policy_module(dan,1) Fails policy_module(dan,1.0) works The attached patch makes the first one work. Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-04-29 21:41:16 +02:00
{ if (insert_id(yytext,0)) return -1; }
| number
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
{ if (insert_id(yytext,0)) return -1; }
| ipv4_addr_def /* version can look like ipv4 address */
;
avrules_block : avrule_decls avrule_user_defs
;
avrule_decls : avrule_decls avrule_decl
| avrule_decl
;
avrule_decl : rbac_decl
| te_decl
| cond_stmt_def
| require_block
| optional_block
| ';'
;
require_block : REQUIRE '{' require_list '}'
;
require_list : require_list require_decl
| require_decl
;
require_decl : require_class ';'
| require_decl_def require_id_list ';'
;
require_class : CLASS identifier names
{ if (require_class(pass)) return -1; }
;
require_decl_def : ROLE { $$ = require_role; }
| TYPE { $$ = require_type; }
| ATTRIBUTE { $$ = require_attribute; }
Add role attribute support when compiling modules. 1. Add a uint32_t "flavor" field and an ebitmap "roles" to the role_datum_t structure; 2. Add a new "attribute_role" statement and its handler to declare a role attribute; 3. Modify declare_role() to setup role_datum_t.flavor according to the isattr argument; 4. Add a new "roleattribute" rule and its handler, which will record the regular role's (policy value - 1) into the role attribute's role_datum_t.roles ebitmap; 5. Modify the syntax for the role-types rule only to define the role-type associations; 6. Add a new role-attr rule to support the declaration of a single role, and optionally the role attribute that the role belongs to; 7. Check if the new_role used in role-transition rule is a regular role; 8. Support to require a role attribute; 9. Modify symtab_insert() to allow multiple declarations only for the regular role, while a role attribute can't be declared more than once and can't share a same name with another regular role. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-07-25 03:23:54 +02:00
| ATTRIBUTE_ROLE { $$ = require_attribute_role; }
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
| USER { $$ = require_user; }
| BOOL { $$ = require_bool; }
checkpolicy: Separate tunable from boolean during compile. Both boolean and tunable keywords are processed by define_bool_tunable(), argument 0 and 1 would be passed for boolean and tunable respectively. For tunable, a TUNABLE flag would be set in cond_bool_datum_t.flags. Note, when creating an if-else conditional we can not know if the tunable identifier is indeed a tunable(for example, a boolean may be misused in tunable_policy() or vice versa), thus the TUNABLE flag for cond_node_t would be calculated and used in expansion when all booleans/tunables copied during link. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-01 05:29:41 +02:00
| TUNABLE { $$ = require_tunable; }
initial import from svn trunk revision 2950
2008-08-19 21:30:36 +02:00
| SENSITIVITY { $$ = require_sens; }
| CATEGORY { $$ = require_cat; }
;
require_id_list : identifier
{ if ($<require_func>0 (pass)) return -1; }
| require_id_list ',' identifier
{ if ($<require_func>0 (pass)) return -1; }
;
optional_block : optional_decl '{' avrules_block '}'
{ if (end_avrule_block(pass) == -1) return -1; }
optional_else
{ if (end_optional(pass) == -1) return -1; }
;
optional_else : else_decl '{' avrules_block '}'
{ if (end_avrule_block(pass) == -1) return -1; }
| /* empty */
;
optional_decl : OPTIONAL
{ if (begin_optional(pass) == -1) return -1; }
;
else_decl : ELSE
{ if (begin_optional_else(pass) == -1) return -1; }
;
avrule_user_defs : user_def avrule_user_defs
| /* empty */
;
Reference in a new issue Copy permalink