| # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> |
| # |
| # Copyright (C) 2006-2007 Red Hat |
| # see file 'COPYING' for use and warranty information |
| # |
| # This program is free software; you can redistribute it and/or |
| # modify it under the terms of the GNU General Public License as |
| # published by the Free Software Foundation; version 2 only |
| # |
| # This program is distributed in the hope that it will be useful, |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| # GNU General Public License for more details. |
| # |
| # You should have received a copy of the GNU General Public License |
| # along with this program; if not, write to the Free Software |
| # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| # |
| |
| # OVERVIEW |
| # |
| # |
| # This is a parser for the refpolicy policy "language" - i.e., the |
| # normal SELinux policy language plus the refpolicy style M4 macro |
| # constructs on top of that base language. This parser is primarily |
| # aimed at parsing the policy headers in order to create an abstract |
| # policy representation suitable for generating policy. |
| # |
| # Both the lexer and parser are included in this file. The are implemented |
| # using the Ply library (included with sepolgen). |
| |
| import sys |
| import os |
| import re |
| import traceback |
| |
| from . import access |
| from . import defaults |
| from . import lex |
| from . import refpolicy |
| from . import yacc |
| |
| # ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: |
| # |
| # lexer |
| # |
| # ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: |
| |
| tokens = ( |
| # basic tokens, punctuation |
| 'TICK', |
| 'SQUOTE', |
| 'OBRACE', |
| 'CBRACE', |
| 'SEMI', |
| 'COLON', |
| 'OPAREN', |
| 'CPAREN', |
| 'COMMA', |
| 'MINUS', |
| 'TILDE', |
| 'ASTERISK', |
| 'AMP', |
| 'BAR', |
| 'EXPL', |
| 'EQUAL', |
| 'FILENAME', |
| 'IDENTIFIER', |
| 'NUMBER', |
| 'PATH', |
| 'IPV6_ADDR', |
| # reserved words |
| # module |
| 'MODULE', |
| 'POLICY_MODULE', |
| 'REQUIRE', |
| # flask |
| 'SID', |
| 'GENFSCON', |
| 'FS_USE_XATTR', |
| 'FS_USE_TRANS', |
| 'FS_USE_TASK', |
| 'PORTCON', |
| 'NODECON', |
| 'NETIFCON', |
| 'PIRQCON', |
| 'IOMEMCON', |
| 'IOPORTCON', |
| 'PCIDEVICECON', |
| 'DEVICETREECON', |
| # object classes |
| 'CLASS', |
| # types and attributes |
| 'TYPEATTRIBUTE', |
| 'ROLEATTRIBUTE', |
| 'TYPE', |
| 'ATTRIBUTE', |
| 'ATTRIBUTE_ROLE', |
| 'ALIAS', |
| 'TYPEALIAS', |
| # conditional policy |
| 'BOOL', |
| 'TRUE', |
| 'FALSE', |
| 'IF', |
| 'ELSE', |
| # users and roles |
| 'ROLE', |
| 'TYPES', |
| # rules |
| 'ALLOW', |
| 'DONTAUDIT', |
| 'AUDITALLOW', |
| 'NEVERALLOW', |
| 'PERMISSIVE', |
| 'TYPE_TRANSITION', |
| 'TYPE_CHANGE', |
| 'TYPE_MEMBER', |
| 'RANGE_TRANSITION', |
| 'ROLE_TRANSITION', |
| # refpolicy keywords |
| 'OPT_POLICY', |
| 'INTERFACE', |
| 'TUNABLE_POLICY', |
| 'GEN_REQ', |
| 'TEMPLATE', |
| 'GEN_CONTEXT', |
| # m4 |
| 'IFELSE', |
| 'IFDEF', |
| 'IFNDEF', |
| 'DEFINE' |
| ) |
| |
| # All reserved keywords - see t_IDENTIFIER for how these are matched in |
| # the lexer. |
| reserved = { |
| # module |
| 'module' : 'MODULE', |
| 'policy_module' : 'POLICY_MODULE', |
| 'require' : 'REQUIRE', |
| # flask |
| 'sid' : 'SID', |
| 'genfscon' : 'GENFSCON', |
| 'fs_use_xattr' : 'FS_USE_XATTR', |
| 'fs_use_trans' : 'FS_USE_TRANS', |
| 'fs_use_task' : 'FS_USE_TASK', |
| 'portcon' : 'PORTCON', |
| 'nodecon' : 'NODECON', |
| 'netifcon' : 'NETIFCON', |
| 'pirqcon' : 'PIRQCON', |
| 'iomemcon' : 'IOMEMCON', |
| 'ioportcon' : 'IOPORTCON', |
| 'pcidevicecon' : 'PCIDEVICECON', |
| 'devicetreecon' : 'DEVICETREECON', |
| # object classes |
| 'class' : 'CLASS', |
| # types and attributes |
| 'typeattribute' : 'TYPEATTRIBUTE', |
| 'roleattribute' : 'ROLEATTRIBUTE', |
| 'type' : 'TYPE', |
| 'attribute' : 'ATTRIBUTE', |
| 'attribute_role' : 'ATTRIBUTE_ROLE', |
| 'alias' : 'ALIAS', |
| 'typealias' : 'TYPEALIAS', |
| # conditional policy |
| 'bool' : 'BOOL', |
| 'true' : 'TRUE', |
| 'false' : 'FALSE', |
| 'if' : 'IF', |
| 'else' : 'ELSE', |
| # users and roles |
| 'role' : 'ROLE', |
| 'types' : 'TYPES', |
| # rules |
| 'allow' : 'ALLOW', |
| 'dontaudit' : 'DONTAUDIT', |
| 'auditallow' : 'AUDITALLOW', |
| 'neverallow' : 'NEVERALLOW', |
| 'permissive' : 'PERMISSIVE', |
| 'type_transition' : 'TYPE_TRANSITION', |
| 'type_change' : 'TYPE_CHANGE', |
| 'type_member' : 'TYPE_MEMBER', |
| 'range_transition' : 'RANGE_TRANSITION', |
| 'role_transition' : 'ROLE_TRANSITION', |
| # refpolicy keywords |
| 'optional_policy' : 'OPT_POLICY', |
| 'interface' : 'INTERFACE', |
| 'tunable_policy' : 'TUNABLE_POLICY', |
| 'gen_require' : 'GEN_REQ', |
| 'template' : 'TEMPLATE', |
| 'gen_context' : 'GEN_CONTEXT', |
| # M4 |
| 'ifelse' : 'IFELSE', |
| 'ifndef' : 'IFNDEF', |
| 'ifdef' : 'IFDEF', |
| 'define' : 'DEFINE' |
| } |
| |
| # The ply lexer allows definition of tokens in 2 ways: regular expressions |
| # or functions. |
| |
| # Simple regex tokens |
| t_TICK = r'\`' |
| t_SQUOTE = r'\'' |
| t_OBRACE = r'\{' |
| t_CBRACE = r'\}' |
| # This will handle spurios extra ';' via the + |
| t_SEMI = r'\;+' |
| t_COLON = r'\:' |
| t_OPAREN = r'\(' |
| t_CPAREN = r'\)' |
| t_COMMA = r'\,' |
| t_MINUS = r'\-' |
| t_TILDE = r'\~' |
| t_ASTERISK = r'\*' |
| t_AMP = r'\&' |
| t_BAR = r'\|' |
| t_EXPL = r'\!' |
| t_EQUAL = r'\=' |
| t_NUMBER = r'[0-9\.]+' |
| t_PATH = r'/[a-zA-Z0-9)_\.\*/\$]*' |
| #t_IPV6_ADDR = r'[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:([a-fA-F0-9]{0,4}:)*' |
| |
| # Ignore whitespace - this is a special token for ply that more efficiently |
| # ignores uninteresting tokens. |
| t_ignore = " \t" |
| |
| # More complex tokens |
| def t_IPV6_ADDR(t): |
| r'[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:([a-fA-F0-9]|:)*' |
| # This is a function simply to force it sooner into |
| # the regex list |
| return t |
| |
| def t_m4comment(t): |
| r'dnl.*\n' |
| # Ignore all comments |
| t.lexer.lineno += 1 |
| |
| def t_refpolicywarn1(t): |
| r'define.*refpolicywarn\(.*\n' |
| # Ignore refpolicywarn statements - they sometimes |
| # contain text that we can't parse. |
| t.skip(1) |
| |
| def t_refpolicywarn(t): |
| r'refpolicywarn\(.*\n' |
| # Ignore refpolicywarn statements - they sometimes |
| # contain text that we can't parse. |
| t.lexer.lineno += 1 |
| |
| def t_IDENTIFIER(t): |
| r'[a-zA-Z_\$][a-zA-Z0-9_\-\+\.\$\*~]*' |
| # Handle any keywords |
| t.type = reserved.get(t.value,'IDENTIFIER') |
| return t |
| |
| def t_FILENAME(t): |
| r'\"[a-zA-Z0-9_\-\+\.\$\*~ :]+\"' |
| # Handle any keywords |
| t.type = reserved.get(t.value,'FILENAME') |
| return t |
| |
| def t_comment(t): |
| r'\#.*\n' |
| # Ignore all comments |
| t.lexer.lineno += 1 |
| |
| def t_error(t): |
| print("Illegal character '%s'" % t.value[0]) |
| t.skip(1) |
| |
| def t_newline(t): |
| r'\n+' |
| t.lexer.lineno += len(t.value) |
| |
| # ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: |
| # |
| # Parser |
| # |
| # ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: |
| |
| # Global data used during parsing - making it global is easier than |
| # passing the state through the parsing functions. |
| |
| # m is the top-level data structure (stands for modules). |
| m = None |
| # error is either None (indicating no error) or a string error message. |
| error = None |
| parse_file = "" |
| # spt is the support macros (e.g., obj/perm sets) - it is an instance of |
| # refpolicy.SupportMacros and should always be present during parsing |
| # though it may not contain any macros. |
| spt = None |
| success = True |
| |
| # utilities |
| def collect(stmts, parent, val=None): |
| if stmts is None: |
| return |
| for s in stmts: |
| if s is None: |
| continue |
| s.parent = parent |
| if val is not None: |
| parent.children.insert(0, (val, s)) |
| else: |
| parent.children.insert(0, s) |
| |
| def expand(ids, s): |
| for id in ids: |
| if spt.has_key(id): |
| s.update(spt.by_name(id)) |
| else: |
| s.add(id) |
| |
| # Top-level non-terminal |
| def p_statements(p): |
| '''statements : statement |
| | statements statement |
| | empty |
| ''' |
| if len(p) == 2 and p[1]: |
| m.children.append(p[1]) |
| elif len(p) > 2 and p[2]: |
| m.children.append(p[2]) |
| |
| def p_statement(p): |
| '''statement : interface |
| | template |
| | obj_perm_set |
| | policy |
| | policy_module_stmt |
| | module_stmt |
| ''' |
| p[0] = p[1] |
| |
| def p_empty(p): |
| 'empty :' |
| pass |
| |
| # |
| # Reference policy language constructs |
| # |
| |
| # This is for the policy module statement (e.g., policy_module(foo,1.2.0)). |
| # We have a separate terminal for either the basic language module statement |
| # and interface calls to make it easier to identifier. |
| def p_policy_module_stmt(p): |
| 'policy_module_stmt : POLICY_MODULE OPAREN IDENTIFIER COMMA NUMBER CPAREN' |
| m = refpolicy.ModuleDeclaration() |
| m.name = p[3] |
| m.version = p[5] |
| m.refpolicy = True |
| p[0] = m |
| |
| def p_interface(p): |
| '''interface : INTERFACE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN |
| ''' |
| x = refpolicy.Interface(p[4]) |
| collect(p[8], x) |
| p[0] = x |
| |
| def p_template(p): |
| '''template : TEMPLATE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN |
| | DEFINE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN |
| ''' |
| x = refpolicy.Template(p[4]) |
| collect(p[8], x) |
| p[0] = x |
| |
| def p_define(p): |
| '''define : DEFINE OPAREN TICK IDENTIFIER SQUOTE CPAREN''' |
| # This is for defining single M4 values (to be used later in ifdef statements). |
| # Example: define(`sulogin_no_pam'). We don't currently do anything with these |
| # but we should in the future when we correctly resolve ifdef statements. |
| p[0] = None |
| |
| def p_interface_stmts(p): |
| '''interface_stmts : policy |
| | interface_stmts policy |
| | empty |
| ''' |
| if len(p) == 2 and p[1]: |
| p[0] = p[1] |
| elif len(p) > 2: |
| if not p[1]: |
| if p[2]: |
| p[0] = p[2] |
| elif not p[2]: |
| p[0] = p[1] |
| else: |
| p[0] = p[1] + p[2] |
| |
| def p_optional_policy(p): |
| '''optional_policy : OPT_POLICY OPAREN TICK interface_stmts SQUOTE CPAREN |
| | OPT_POLICY OPAREN TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN |
| ''' |
| o = refpolicy.OptionalPolicy() |
| collect(p[4], o, val=True) |
| if len(p) > 7: |
| collect(p[8], o, val=False) |
| p[0] = [o] |
| |
| def p_tunable_policy(p): |
| '''tunable_policy : TUNABLE_POLICY OPAREN TICK cond_expr SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN |
| | TUNABLE_POLICY OPAREN TICK cond_expr SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN |
| ''' |
| x = refpolicy.TunablePolicy() |
| x.cond_expr = p[4] |
| collect(p[8], x, val=True) |
| if len(p) > 11: |
| collect(p[12], x, val=False) |
| p[0] = [x] |
| |
| def p_ifelse(p): |
| '''ifelse : IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi |
| | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi |
| | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi |
| ''' |
| # x = refpolicy.IfDef(p[4]) |
| # v = True |
| # collect(p[8], x, val=v) |
| # if len(p) > 12: |
| # collect(p[12], x, val=False) |
| # p[0] = [x] |
| pass |
| |
| |
| def p_ifdef(p): |
| '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi |
| | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi |
| | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi |
| ''' |
| x = refpolicy.IfDef(p[4]) |
| if p[1] == 'ifdef': |
| v = True |
| else: |
| v = False |
| collect(p[8], x, val=v) |
| if len(p) > 12: |
| collect(p[12], x, val=False) |
| p[0] = [x] |
| |
| def p_interface_call(p): |
| '''interface_call : IDENTIFIER OPAREN interface_call_param_list CPAREN |
| | IDENTIFIER OPAREN CPAREN |
| | IDENTIFIER OPAREN interface_call_param_list CPAREN SEMI''' |
| # Allow spurious semi-colons at the end of interface calls |
| i = refpolicy.InterfaceCall(ifname=p[1]) |
| if len(p) > 4: |
| i.args.extend(p[3]) |
| p[0] = i |
| |
| def p_interface_call_param(p): |
| '''interface_call_param : IDENTIFIER |
| | IDENTIFIER MINUS IDENTIFIER |
| | nested_id_set |
| | TRUE |
| | FALSE |
| | FILENAME |
| ''' |
| # Intentionally let single identifiers pass through |
| # List means set, non-list identifier |
| if len(p) == 2: |
| p[0] = p[1] |
| else: |
| p[0] = [p[1], "-" + p[3]] |
| |
| def p_interface_call_param_list(p): |
| '''interface_call_param_list : interface_call_param |
| | interface_call_param_list COMMA interface_call_param |
| ''' |
| if len(p) == 2: |
| p[0] = [p[1]] |
| else: |
| p[0] = p[1] + [p[3]] |
| |
| |
| def p_obj_perm_set(p): |
| 'obj_perm_set : DEFINE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK names SQUOTE CPAREN' |
| s = refpolicy.ObjPermSet(p[4]) |
| s.perms = p[8] |
| p[0] = s |
| |
| # |
| # Basic SELinux policy language |
| # |
| |
| def p_policy(p): |
| '''policy : policy_stmt |
| | optional_policy |
| | tunable_policy |
| | ifdef |
| | ifelse |
| | conditional |
| ''' |
| p[0] = p[1] |
| |
| def p_policy_stmt(p): |
| '''policy_stmt : gen_require |
| | avrule_def |
| | typerule_def |
| | typeattribute_def |
| | roleattribute_def |
| | interface_call |
| | role_def |
| | role_allow |
| | permissive |
| | type_def |
| | typealias_def |
| | attribute_def |
| | attribute_role_def |
| | range_transition_def |
| | role_transition_def |
| | bool |
| | define |
| | initial_sid |
| | genfscon |
| | fs_use |
| | portcon |
| | nodecon |
| | netifcon |
| | pirqcon |
| | iomemcon |
| | ioportcon |
| | pcidevicecon |
| | devicetreecon |
| ''' |
| if p[1]: |
| p[0] = [p[1]] |
| |
| def p_module_stmt(p): |
| 'module_stmt : MODULE IDENTIFIER NUMBER SEMI' |
| m = refpolicy.ModuleDeclaration() |
| m.name = p[2] |
| m.version = p[3] |
| m.refpolicy = False |
| p[0] = m |
| |
| def p_gen_require(p): |
| '''gen_require : GEN_REQ OPAREN TICK requires SQUOTE CPAREN |
| | REQUIRE OBRACE requires CBRACE''' |
| # We ignore the require statements - they are redundant data from our point-of-view. |
| # Checkmodule will verify them later anyway so we just assume that they match what |
| # is in the rest of the interface. |
| pass |
| |
| def p_requires(p): |
| '''requires : require |
| | requires require |
| | ifdef |
| | requires ifdef |
| ''' |
| pass |
| |
| def p_require(p): |
| '''require : TYPE comma_list SEMI |
| | ROLE comma_list SEMI |
| | ATTRIBUTE comma_list SEMI |
| | ATTRIBUTE_ROLE comma_list SEMI |
| | CLASS comma_list SEMI |
| | BOOL comma_list SEMI |
| ''' |
| pass |
| |
| def p_security_context(p): |
| '''security_context : IDENTIFIER COLON IDENTIFIER COLON IDENTIFIER |
| | IDENTIFIER COLON IDENTIFIER COLON IDENTIFIER COLON mls_range_def''' |
| # This will likely need some updates to handle complex levels |
| s = refpolicy.SecurityContext() |
| s.user = p[1] |
| s.role = p[3] |
| s.type = p[5] |
| if len(p) > 6: |
| s.level = p[7] |
| |
| p[0] = s |
| |
| def p_gen_context(p): |
| '''gen_context : GEN_CONTEXT OPAREN security_context COMMA mls_range_def CPAREN |
| ''' |
| # We actually store gen_context statements in a SecurityContext |
| # object - it knows how to output either a bare context or a |
| # gen_context statement. |
| s = p[3] |
| s.level = p[5] |
| |
| p[0] = s |
| |
| def p_context(p): |
| '''context : security_context |
| | gen_context |
| ''' |
| p[0] = p[1] |
| |
| def p_initial_sid(p): |
| '''initial_sid : SID IDENTIFIER context''' |
| s = refpolicy.InitialSid() |
| s.name = p[2] |
| s.context = p[3] |
| p[0] = s |
| |
| def p_genfscon(p): |
| '''genfscon : GENFSCON IDENTIFIER PATH context''' |
| |
| g = refpolicy.GenfsCon() |
| g.filesystem = p[2] |
| g.path = p[3] |
| g.context = p[4] |
| |
| p[0] = g |
| |
| def p_fs_use(p): |
| '''fs_use : FS_USE_XATTR IDENTIFIER context SEMI |
| | FS_USE_TASK IDENTIFIER context SEMI |
| | FS_USE_TRANS IDENTIFIER context SEMI |
| ''' |
| f = refpolicy.FilesystemUse() |
| if p[1] == "fs_use_xattr": |
| f.type = refpolicy.FilesystemUse.XATTR |
| elif p[1] == "fs_use_task": |
| f.type = refpolicy.FilesystemUse.TASK |
| elif p[1] == "fs_use_trans": |
| f.type = refpolicy.FilesystemUse.TRANS |
| |
| f.filesystem = p[2] |
| f.context = p[3] |
| |
| p[0] = f |
| |
| def p_portcon(p): |
| '''portcon : PORTCON IDENTIFIER NUMBER context |
| | PORTCON IDENTIFIER NUMBER MINUS NUMBER context''' |
| c = refpolicy.PortCon() |
| c.port_type = p[2] |
| if len(p) == 5: |
| c.port_number = p[3] |
| c.context = p[4] |
| else: |
| c.port_number = p[3] + "-" + p[4] |
| c.context = p[5] |
| |
| p[0] = c |
| |
| def p_nodecon(p): |
| '''nodecon : NODECON NUMBER NUMBER context |
| | NODECON IPV6_ADDR IPV6_ADDR context |
| ''' |
| n = refpolicy.NodeCon() |
| n.start = p[2] |
| n.end = p[3] |
| n.context = p[4] |
| |
| p[0] = n |
| |
| def p_netifcon(p): |
| 'netifcon : NETIFCON IDENTIFIER context context' |
| n = refpolicy.NetifCon() |
| n.interface = p[2] |
| n.interface_context = p[3] |
| n.packet_context = p[4] |
| |
| p[0] = n |
| |
| def p_pirqcon(p): |
| 'pirqcon : PIRQCON NUMBER context' |
| c = refpolicy.PirqCon() |
| c.pirq_number = p[2] |
| c.context = p[3] |
| |
| p[0] = c |
| |
| def p_iomemcon(p): |
| '''iomemcon : IOMEMCON NUMBER context |
| | IOMEMCON NUMBER MINUS NUMBER context''' |
| c = refpolicy.IomemCon() |
| if len(p) == 4: |
| c.device_mem = p[2] |
| c.context = p[3] |
| else: |
| c.device_mem = p[2] + "-" + p[3] |
| c.context = p[4] |
| |
| p[0] = c |
| |
| def p_ioportcon(p): |
| '''ioportcon : IOPORTCON NUMBER context |
| | IOPORTCON NUMBER MINUS NUMBER context''' |
| c = refpolicy.IoportCon() |
| if len(p) == 4: |
| c.ioport = p[2] |
| c.context = p[3] |
| else: |
| c.ioport = p[2] + "-" + p[3] |
| c.context = p[4] |
| |
| p[0] = c |
| |
| def p_pcidevicecon(p): |
| 'pcidevicecon : PCIDEVICECON NUMBER context' |
| c = refpolicy.PciDeviceCon() |
| c.device = p[2] |
| c.context = p[3] |
| |
| p[0] = c |
| |
| def p_devicetreecon(p): |
| 'devicetreecon : DEVICETREECON NUMBER context' |
| c = refpolicy.DevicetTeeCon() |
| c.path = p[2] |
| c.context = p[3] |
| |
| p[0] = c |
| |
| def p_mls_range_def(p): |
| '''mls_range_def : mls_level_def MINUS mls_level_def |
| | mls_level_def |
| ''' |
| p[0] = p[1] |
| if len(p) > 2: |
| p[0] = p[0] + "-" + p[3] |
| |
| def p_mls_level_def(p): |
| '''mls_level_def : IDENTIFIER COLON comma_list |
| | IDENTIFIER |
| ''' |
| p[0] = p[1] |
| if len(p) > 2: |
| p[0] = p[0] + ":" + ",".join(p[3]) |
| |
| def p_type_def(p): |
| '''type_def : TYPE IDENTIFIER COMMA comma_list SEMI |
| | TYPE IDENTIFIER SEMI |
| | TYPE IDENTIFIER ALIAS names SEMI |
| | TYPE IDENTIFIER ALIAS names COMMA comma_list SEMI |
| ''' |
| t = refpolicy.Type(p[2]) |
| if len(p) == 6: |
| if p[3] == ',': |
| t.attributes.update(p[4]) |
| else: |
| t.aliases = p[4] |
| elif len(p) > 4: |
| t.aliases = p[4] |
| if len(p) == 8: |
| t.attributes.update(p[6]) |
| p[0] = t |
| |
| def p_attribute_def(p): |
| 'attribute_def : ATTRIBUTE IDENTIFIER SEMI' |
| a = refpolicy.Attribute(p[2]) |
| p[0] = a |
| |
| def p_attribute_role_def(p): |
| 'attribute_role_def : ATTRIBUTE_ROLE IDENTIFIER SEMI' |
| a = refpolicy.Attribute_Role(p[2]) |
| p[0] = a |
| |
| def p_typealias_def(p): |
| 'typealias_def : TYPEALIAS IDENTIFIER ALIAS names SEMI' |
| t = refpolicy.TypeAlias() |
| t.type = p[2] |
| t.aliases = p[4] |
| p[0] = t |
| |
| def p_role_def(p): |
| '''role_def : ROLE IDENTIFIER TYPES comma_list SEMI |
| | ROLE IDENTIFIER SEMI''' |
| r = refpolicy.Role() |
| r.role = p[2] |
| if len(p) > 4: |
| r.types.update(p[4]) |
| p[0] = r |
| |
| def p_role_allow(p): |
| 'role_allow : ALLOW names names SEMI' |
| r = refpolicy.RoleAllow() |
| r.src_roles = p[2] |
| r.tgt_roles = p[3] |
| p[0] = r |
| |
| def p_permissive(p): |
| 'permissive : PERMISSIVE names SEMI' |
| t.skip(1) |
| |
| def p_avrule_def(p): |
| '''avrule_def : ALLOW names names COLON names names SEMI |
| | DONTAUDIT names names COLON names names SEMI |
| | AUDITALLOW names names COLON names names SEMI |
| | NEVERALLOW names names COLON names names SEMI |
| ''' |
| a = refpolicy.AVRule() |
| if p[1] == 'dontaudit': |
| a.rule_type = refpolicy.AVRule.DONTAUDIT |
| elif p[1] == 'auditallow': |
| a.rule_type = refpolicy.AVRule.AUDITALLOW |
| elif p[1] == 'neverallow': |
| a.rule_type = refpolicy.AVRule.NEVERALLOW |
| a.src_types = p[2] |
| a.tgt_types = p[3] |
| a.obj_classes = p[5] |
| a.perms = p[6] |
| p[0] = a |
| |
| def p_typerule_def(p): |
| '''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI |
| | TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI |
| | TYPE_TRANSITION names names COLON names IDENTIFIER IDENTIFIER SEMI |
| | TYPE_CHANGE names names COLON names IDENTIFIER SEMI |
| | TYPE_MEMBER names names COLON names IDENTIFIER SEMI |
| ''' |
| t = refpolicy.TypeRule() |
| if p[1] == 'type_change': |
| t.rule_type = refpolicy.TypeRule.TYPE_CHANGE |
| elif p[1] == 'type_member': |
| t.rule_type = refpolicy.TypeRule.TYPE_MEMBER |
| t.src_types = p[2] |
| t.tgt_types = p[3] |
| t.obj_classes = p[5] |
| t.dest_type = p[6] |
| t.file_name = p[7] |
| p[0] = t |
| |
| def p_bool(p): |
| '''bool : BOOL IDENTIFIER TRUE SEMI |
| | BOOL IDENTIFIER FALSE SEMI''' |
| b = refpolicy.Bool() |
| b.name = p[2] |
| if p[3] == "true": |
| b.state = True |
| else: |
| b.state = False |
| p[0] = b |
| |
| def p_conditional(p): |
| ''' conditional : IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE |
| | IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE ELSE OBRACE interface_stmts CBRACE |
| ''' |
| c = refpolicy.Conditional() |
| c.cond_expr = p[3] |
| collect(p[6], c, val=True) |
| if len(p) > 8: |
| collect(p[10], c, val=False) |
| p[0] = [c] |
| |
| def p_typeattribute_def(p): |
| '''typeattribute_def : TYPEATTRIBUTE IDENTIFIER comma_list SEMI''' |
| t = refpolicy.TypeAttribute() |
| t.type = p[2] |
| t.attributes.update(p[3]) |
| p[0] = t |
| |
| def p_roleattribute_def(p): |
| '''roleattribute_def : ROLEATTRIBUTE IDENTIFIER comma_list SEMI''' |
| t = refpolicy.RoleAttribute() |
| t.role = p[2] |
| t.roleattributes.update(p[3]) |
| p[0] = t |
| |
| def p_range_transition_def(p): |
| '''range_transition_def : RANGE_TRANSITION names names COLON names mls_range_def SEMI |
| | RANGE_TRANSITION names names names SEMI''' |
| pass |
| |
| def p_role_transition_def(p): |
| '''role_transition_def : ROLE_TRANSITION names names names SEMI''' |
| pass |
| |
| def p_cond_expr(p): |
| '''cond_expr : IDENTIFIER |
| | EXPL cond_expr |
| | cond_expr AMP AMP cond_expr |
| | cond_expr BAR BAR cond_expr |
| | cond_expr EQUAL EQUAL cond_expr |
| | cond_expr EXPL EQUAL cond_expr |
| ''' |
| l = len(p) |
| if l == 2: |
| p[0] = [p[1]] |
| elif l == 3: |
| p[0] = [p[1]] + p[2] |
| else: |
| p[0] = p[1] + [p[2] + p[3]] + p[4] |
| |
| |
| # |
| # Basic terminals |
| # |
| |
| # Identifiers and lists of identifiers. These must |
| # be handled somewhat gracefully. Names returns an IdSet and care must |
| # be taken that this is _assigned_ to an object to correctly update |
| # all of the flags (as opposed to using update). The other terminals |
| # return list - this is to preserve ordering if it is important for |
| # parsing (for example, interface_call must retain the ordering). Other |
| # times the list should be used to update an IdSet. |
| |
| def p_names(p): |
| '''names : identifier |
| | nested_id_set |
| | asterisk |
| | TILDE identifier |
| | TILDE nested_id_set |
| | IDENTIFIER MINUS IDENTIFIER |
| ''' |
| s = refpolicy.IdSet() |
| if len(p) < 3: |
| expand(p[1], s) |
| elif len(p) == 3: |
| expand(p[2], s) |
| s.compliment = True |
| else: |
| expand([p[1]]) |
| s.add("-" + p[3]) |
| p[0] = s |
| |
| def p_identifier(p): |
| 'identifier : IDENTIFIER' |
| p[0] = [p[1]] |
| |
| def p_asterisk(p): |
| 'asterisk : ASTERISK' |
| p[0] = [p[1]] |
| |
| def p_nested_id_set(p): |
| '''nested_id_set : OBRACE nested_id_list CBRACE |
| ''' |
| p[0] = p[2] |
| |
| def p_nested_id_list(p): |
| '''nested_id_list : nested_id_element |
| | nested_id_list nested_id_element |
| ''' |
| if len(p) == 2: |
| p[0] = p[1] |
| else: |
| p[0] = p[1] + p[2] |
| |
| def p_nested_id_element(p): |
| '''nested_id_element : identifier |
| | MINUS IDENTIFIER |
| | nested_id_set |
| ''' |
| if len(p) == 2: |
| p[0] = p[1] |
| else: |
| # For now just leave the '-' |
| str = "-" + p[2] |
| p[0] = [str] |
| |
| def p_comma_list(p): |
| '''comma_list : nested_id_list |
| | comma_list COMMA nested_id_list |
| ''' |
| if len(p) > 2: |
| p[1] = p[1] + p[3] |
| p[0] = p[1] |
| |
| def p_optional_semi(p): |
| '''optional_semi : SEMI |
| | empty''' |
| pass |
| |
| |
| # |
| # Interface to the parser |
| # |
| |
| def p_error(tok): |
| global error, parse_file, success, parser |
| error = "%s: Syntax error on line %d %s [type=%s]" % (parse_file, tok.lineno, tok.value, tok.type) |
| print(error) |
| success = False |
| |
| def prep_spt(spt): |
| if not spt: |
| return { } |
| map = {} |
| for x in spt: |
| map[x.name] = x |
| |
| parser = None |
| lexer = None |
| def create_globals(module, support, debug): |
| global parser, lexer, m, spt |
| |
| if not parser: |
| lexer = lex.lex() |
| parser = yacc.yacc(method="LALR", debug=debug, write_tables=0) |
| |
| if module is not None: |
| m = module |
| else: |
| m = refpolicy.Module() |
| |
| if not support: |
| spt = refpolicy.SupportMacros() |
| else: |
| spt = support |
| |
| def parse(text, module=None, support=None, debug=False): |
| create_globals(module, support, debug) |
| global error, parser, lexer, success |
| |
| lexer.lineno = 1 |
| success = True |
| |
| try: |
| parser.parse(text, debug=debug, lexer=lexer) |
| except Exception as e: |
| parser = None |
| lexer = None |
| error = "internal parser error: %s" % str(e) + "\n" + traceback.format_exc() |
| |
| if not success: |
| # force the parser and lexer to be rebuilt - we have some problems otherwise |
| parser = None |
| msg = 'could not parse text: "%s"' % error |
| raise ValueError(msg) |
| return m |
| |
| def list_headers(root): |
| modules = [] |
| support_macros = None |
| |
| for dirpath, dirnames, filenames in os.walk(root): |
| for name in filenames: |
| modname = os.path.splitext(name) |
| filename = os.path.join(dirpath, name) |
| |
| if modname[1] == '.spt': |
| if name == "obj_perm_sets.spt": |
| support_macros = filename |
| elif len(re.findall("patterns", modname[0])): |
| modules.append((modname[0], filename)) |
| elif modname[1] == '.if': |
| modules.append((modname[0], filename)) |
| |
| return (modules, support_macros) |
| |
| |
| def parse_headers(root, output=None, expand=True, debug=False): |
| from . import util |
| |
| headers = refpolicy.Headers() |
| |
| modules = [] |
| support_macros = None |
| |
| if os.path.isfile(root): |
| name = os.path.split(root)[1] |
| if name == '': |
| raise ValueError("Invalid file name %s" % root) |
| modname = os.path.splitext(name) |
| modules.append((modname[0], root)) |
| all_modules, support_macros = list_headers(defaults.headers()) |
| else: |
| modules, support_macros = list_headers(root) |
| |
| if expand and not support_macros: |
| raise ValueError("could not find support macros (obj_perm_sets.spt)") |
| |
| def o(msg): |
| if output: |
| output.write(msg) |
| |
| def parse_file(f, module, spt=None): |
| global parse_file |
| if debug: |
| o("parsing file %s\n" % f) |
| try: |
| fd = open(f) |
| txt = fd.read() |
| fd.close() |
| parse_file = f |
| parse(txt, module, spt, debug) |
| except IOError as e: |
| return |
| except ValueError as e: |
| raise ValueError("error parsing file %s: %s" % (f, str(e))) |
| |
| spt = None |
| if support_macros: |
| o("Parsing support macros (%s): " % support_macros) |
| spt = refpolicy.SupportMacros() |
| parse_file(support_macros, spt) |
| |
| headers.children.append(spt) |
| |
| # FIXME: Total hack - add in can_exec rather than parse the insanity |
| # of misc_macros. We are just going to pretend that this is an interface |
| # to make the expansion work correctly. |
| can_exec = refpolicy.Interface("can_exec") |
| av = access.AccessVector(["$1","$2","file","execute_no_trans","open", "read", |
| "getattr","lock","execute","ioctl"]) |
| |
| can_exec.children.append(refpolicy.AVRule(av)) |
| headers.children.append(can_exec) |
| |
| o("done.\n") |
| |
| if output and not debug: |
| status = util.ConsoleProgressBar(sys.stdout, steps=len(modules)) |
| status.start("Parsing interface files") |
| |
| failures = [] |
| for x in modules: |
| m = refpolicy.Module() |
| m.name = x[0] |
| try: |
| if expand: |
| parse_file(x[1], m, spt) |
| else: |
| parse_file(x[1], m) |
| except ValueError as e: |
| o(str(e) + "\n") |
| failures.append(x[1]) |
| continue |
| |
| headers.children.append(m) |
| if output and not debug: |
| status.step() |
| |
| if len(failures): |
| o("failed to parse some headers: %s" % ", ".join(failures)) |
| |
| return headers |