1 2 /* 3 * Author : Stephen Smalley, <sds (at) epoch.ncsc.mil> 4 */ 5 6 /* 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel (at) trustedcs.com> 8 * 9 * Support for enhanced MLS infrastructure. 10 * 11 * Updated: David Caplan, <dac (at) tresys.com> 12 * 13 * Added conditional policy language extensions 14 * 15 * Updated: Joshua Brindle <jbrindle (at) tresys.com> 16 * Karl MacMillan <kmacmillan (at) mentalrootkit.com> 17 * Jason Tang <jtang (at) tresys.com> 18 * 19 * Added support for binary policy modules 20 * 21 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 22 * Copyright (C) 2003 - 2008 Tresys Technology, LLC 23 * Copyright (C) 2007 Red Hat Inc. 24 * This program is free software; you can redistribute it and/or modify 25 * it under the terms of the GNU General Public License as published by 26 * the Free Software Foundation, version 2. 27 */ 28 29 /* FLASK */ 30 31 %{ 32 #include <sys/types.h> 33 #include <assert.h> 34 #include <stdarg.h> 35 #include <stdint.h> 36 #include <stdio.h> 37 #include <stdlib.h> 38 #include <string.h> 39 #include <sys/socket.h> 40 #include <netinet/in.h> 41 #include <arpa/inet.h> 42 #include <stdlib.h> 43 44 #include <sepol/policydb/expand.h> 45 #include <sepol/policydb/policydb.h> 46 #include <sepol/policydb/services.h> 47 #include <sepol/policydb/conditional.h> 48 #include <sepol/policydb/flask.h> 49 #include <sepol/policydb/hierarchy.h> 50 #include <sepol/policydb/polcaps.h> 51 #include "queue.h" 52 #include "checkpolicy.h" 53 #include "module_compiler.h" 54 #include "policy_define.h" 55 56 extern policydb_t *policydbp; 57 extern unsigned int pass; 58 59 extern char yytext[]; 60 extern int yylex(void); 61 extern int yywarn(const char *msg); 62 extern int yyerror(const char *msg); 63 64 typedef int (* require_func_t)(int pass); 65 66 %} 67 68 %union { 69 unsigned int val; 70 uint64_t val64; 71 uintptr_t valptr; 72 void *ptr; 73 require_func_t require_func; 74 } 75 76 %type <ptr> cond_expr cond_expr_prim cond_pol_list cond_else 77 %type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def 78 %type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def 79 %type <ptr> role_def roles 80 %type <valptr> cexpr cexpr_prim op role_mls_op 81 %type <val> ipv4_addr_def number 82 %type <val64> number64 83 %type <require_func> require_decl_def 84 85 %token PATH 86 %token QPATH 87 %token FILENAME 88 %token CLONE 89 %token COMMON 90 %token CLASS 91 %token CONSTRAIN 92 %token VALIDATETRANS 93 %token INHERITS 94 %token SID 95 %token ROLE 96 %token ROLEATTRIBUTE 97 %token ATTRIBUTE_ROLE 98 %token ROLES 99 %token TYPEALIAS 100 %token TYPEATTRIBUTE 101 %token TYPEBOUNDS 102 %token TYPE 103 %token TYPES 104 %token ALIAS 105 %token ATTRIBUTE 106 %token EXPANDATTRIBUTE 107 %token BOOL 108 %token TUNABLE 109 %token IF 110 %token ELSE 111 %token TYPE_TRANSITION 112 %token TYPE_MEMBER 113 %token TYPE_CHANGE 114 %token ROLE_TRANSITION 115 %token RANGE_TRANSITION 116 %token SENSITIVITY 117 %token DOMINANCE 118 %token DOM DOMBY INCOMP 119 %token CATEGORY 120 %token LEVEL 121 %token RANGE 122 %token MLSCONSTRAIN 123 %token MLSVALIDATETRANS 124 %token USER 125 %token NEVERALLOW 126 %token ALLOW 127 %token AUDITALLOW 128 %token AUDITDENY 129 %token DONTAUDIT 130 %token ALLOWXPERM 131 %token AUDITALLOWXPERM 132 %token DONTAUDITXPERM 133 %token NEVERALLOWXPERM 134 %token SOURCE 135 %token TARGET 136 %token SAMEUSER 137 %token FSCON PORTCON NETIFCON NODECON 138 %token PIRQCON IOMEMCON IOPORTCON PCIDEVICECON DEVICETREECON 139 %token FSUSEXATTR FSUSETASK FSUSETRANS 140 %token GENFSCON 141 %token U1 U2 U3 R1 R2 R3 T1 T2 T3 L1 L2 H1 H2 142 %token NOT AND OR XOR 143 %token CTRUE CFALSE 144 %token IDENTIFIER 145 %token NUMBER 146 %token EQUALS 147 %token NOTEQUAL 148 %token IPV4_ADDR 149 %token IPV6_ADDR 150 %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL 151 %token POLICYCAP 152 %token PERMISSIVE 153 %token FILESYSTEM 154 %token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE 155 %token LOW_HIGH LOW HIGH 156 157 %left OR 158 %left XOR 159 %left AND 160 %right NOT 161 %left EQUALS NOTEQUAL 162 %% 163 policy : base_policy 164 | module_policy 165 ; 166 base_policy : { if (define_policy(pass, 0) == -1) return -1; } 167 classes initial_sids access_vectors 168 { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; } 169 else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }} 170 opt_default_rules opt_mls te_rbac users opt_constraints 171 { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;} 172 else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}} 173 initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts 174 ; 175 classes : class_def 176 | classes class_def 177 ; 178 class_def : CLASS identifier 179 {if (define_class()) return -1;} 180 ; 181 initial_sids : initial_sid_def 182 | initial_sids initial_sid_def 183 ; 184 initial_sid_def : SID identifier 185 {if (define_initial_sid()) return -1;} 186 ; 187 access_vectors : opt_common_perms av_perms 188 ; 189 opt_common_perms : common_perms 190 | 191 ; 192 common_perms : common_perms_def 193 | common_perms common_perms_def 194 ; 195 common_perms_def : COMMON identifier '{' identifier_list '}' 196 {if (define_common_perms()) return -1;} 197 ; 198 av_perms : av_perms_def 199 | av_perms av_perms_def 200 ; 201 av_perms_def : CLASS identifier '{' identifier_list '}' 202 {if (define_av_perms(FALSE)) return -1;} 203 | CLASS identifier INHERITS identifier 204 {if (define_av_perms(TRUE)) return -1;} 205 | CLASS identifier INHERITS identifier '{' identifier_list '}' 206 {if (define_av_perms(TRUE)) return -1;} 207 ; 208 opt_default_rules : default_rules 209 | 210 ; 211 default_rules : default_user_def 212 | default_role_def 213 | default_type_def 214 | default_range_def 215 | default_rules default_user_def 216 | default_rules default_role_def 217 | default_rules default_type_def 218 | default_rules default_range_def 219 ; 220 default_user_def : DEFAULT_USER names SOURCE ';' 221 {if (define_default_user(DEFAULT_SOURCE)) return -1; } 222 | DEFAULT_USER names TARGET ';' 223 {if (define_default_user(DEFAULT_TARGET)) return -1; } 224 ; 225 default_role_def : DEFAULT_ROLE names SOURCE ';' 226 {if (define_default_role(DEFAULT_SOURCE)) return -1; } 227 | DEFAULT_ROLE names TARGET ';' 228 {if (define_default_role(DEFAULT_TARGET)) return -1; } 229 ; 230 default_type_def : DEFAULT_TYPE names SOURCE ';' 231 {if (define_default_type(DEFAULT_SOURCE)) return -1; } 232 | DEFAULT_TYPE names TARGET ';' 233 {if (define_default_type(DEFAULT_TARGET)) return -1; } 234 ; 235 default_range_def : DEFAULT_RANGE names SOURCE LOW ';' 236 {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; } 237 | DEFAULT_RANGE names SOURCE HIGH ';' 238 {if (define_default_range(DEFAULT_SOURCE_HIGH)) return -1; } 239 | DEFAULT_RANGE names SOURCE LOW_HIGH ';' 240 {if (define_default_range(DEFAULT_SOURCE_LOW_HIGH)) return -1; } 241 | DEFAULT_RANGE names TARGET LOW ';' 242 {if (define_default_range(DEFAULT_TARGET_LOW)) return -1; } 243 | DEFAULT_RANGE names TARGET HIGH ';' 244 {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; } 245 | DEFAULT_RANGE names TARGET LOW_HIGH ';' 246 {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; } 247 ; 248 opt_mls : mls 249 | 250 ; 251 mls : sensitivities dominance opt_categories levels mlspolicy 252 ; 253 sensitivities : sensitivity_def 254 | sensitivities sensitivity_def 255 ; 256 sensitivity_def : SENSITIVITY identifier alias_def ';' 257 {if (define_sens()) return -1;} 258 | SENSITIVITY identifier ';' 259 {if (define_sens()) return -1;} 260 ; 261 alias_def : ALIAS names 262 ; 263 dominance : DOMINANCE identifier 264 {if (define_dominance()) return -1;} 265 | DOMINANCE '{' identifier_list '}' 266 {if (define_dominance()) return -1;} 267 ; 268 opt_categories : categories 269 | 270 ; 271 categories : category_def 272 | categories category_def 273 ; 274 category_def : CATEGORY identifier alias_def ';' 275 {if (define_category()) return -1;} 276 | CATEGORY identifier ';' 277 {if (define_category()) return -1;} 278 ; 279 levels : level_def 280 | levels level_def 281 ; 282 level_def : LEVEL identifier ':' id_comma_list ';' 283 {if (define_level()) return -1;} 284 | LEVEL identifier ';' 285 {if (define_level()) return -1;} 286 ; 287 mlspolicy : mlspolicy_decl 288 | mlspolicy mlspolicy_decl 289 ; 290 mlspolicy_decl : mlsconstraint_def 291 | mlsvalidatetrans_def 292 ; 293 mlsconstraint_def : MLSCONSTRAIN names names cexpr ';' 294 { if (define_constraint((constraint_expr_t*)$4)) return -1; } 295 ; 296 mlsvalidatetrans_def : MLSVALIDATETRANS names cexpr ';' 297 { if (define_validatetrans((constraint_expr_t*)$3)) return -1; } 298 ; 299 te_rbac : te_rbac_decl 300 | te_rbac te_rbac_decl 301 ; 302 te_rbac_decl : te_decl 303 | rbac_decl 304 | cond_stmt_def 305 | optional_block 306 | policycap_def 307 | ';' 308 ; 309 rbac_decl : attribute_role_def 310 | role_type_def 311 | role_dominance 312 | role_trans_def 313 | role_allow_def 314 | roleattribute_def 315 | role_attr_def 316 ; 317 te_decl : attribute_def 318 | expandattribute_def 319 | type_def 320 | typealias_def 321 | typeattribute_def 322 | typebounds_def 323 | bool_def 324 | tunable_def 325 | transition_def 326 | range_trans_def 327 | te_avtab_def 328 | permissive_def 329 ; 330 attribute_def : ATTRIBUTE identifier ';' 331 { if (define_attrib()) return -1;} 332 ; 333 expandattribute_def : EXPANDATTRIBUTE names bool_val ';' 334 { if (expand_attrib()) return -1;} 335 ; 336 type_def : TYPE identifier alias_def opt_attr_list ';' 337 {if (define_type(1)) return -1;} 338 | TYPE identifier opt_attr_list ';' 339 {if (define_type(0)) return -1;} 340 ; 341 typealias_def : TYPEALIAS identifier alias_def ';' 342 {if (define_typealias()) return -1;} 343 ; 344 typeattribute_def : TYPEATTRIBUTE identifier id_comma_list ';' 345 {if (define_typeattribute()) return -1;} 346 ; 347 typebounds_def : TYPEBOUNDS identifier id_comma_list ';' 348 {if (define_typebounds()) return -1;} 349 ; 350 opt_attr_list : ',' id_comma_list 351 | 352 ; 353 bool_def : BOOL identifier bool_val ';' 354 { if (define_bool_tunable(0)) return -1; } 355 ; 356 tunable_def : TUNABLE identifier bool_val ';' 357 { if (define_bool_tunable(1)) return -1; } 358 ; 359 bool_val : CTRUE 360 { if (insert_id("T",0)) return -1; } 361 | CFALSE 362 { if (insert_id("F",0)) return -1; } 363 ; 364 cond_stmt_def : IF cond_expr '{' cond_pol_list '}' cond_else 365 { if (pass == 2) { if (define_conditional((cond_expr_t*)$2, (avrule_t*)$4, (avrule_t*)$6) < 0) return -1; }} 366 ; 367 cond_else : ELSE '{' cond_pol_list '}' 368 { $$ = $3; } 369 | /* empty */ 370 { $$ = NULL; } 371 ; 372 cond_expr : '(' cond_expr ')' 373 { $$ = $2;} 374 | NOT cond_expr 375 { $$ = define_cond_expr(COND_NOT, $2, 0); 376 if ($$ == 0) return -1; } 377 | cond_expr AND cond_expr 378 { $$ = define_cond_expr(COND_AND, $1, $3); 379 if ($$ == 0) return -1; } 380 | cond_expr OR cond_expr 381 { $$ = define_cond_expr(COND_OR, $1, $3); 382 if ($$ == 0) return -1; } 383 | cond_expr XOR cond_expr 384 { $$ = define_cond_expr(COND_XOR, $1, $3); 385 if ($$ == 0) return -1; } 386 | cond_expr EQUALS cond_expr 387 { $$ = define_cond_expr(COND_EQ, $1, $3); 388 if ($$ == 0) return -1; } 389 | cond_expr NOTEQUAL cond_expr 390 { $$ = define_cond_expr(COND_NEQ, $1, $3); 391 if ($$ == 0) return -1; } 392 | cond_expr_prim 393 { $$ = $1; } 394 ; 395 cond_expr_prim : identifier 396 { $$ = define_cond_expr(COND_BOOL,0, 0); 397 if ($$ == COND_ERR) return -1; } 398 ; 399 cond_pol_list : cond_pol_list cond_rule_def 400 { $$ = define_cond_pol_list((avrule_t *)$1, (avrule_t *)$2); } 401 | /* empty */ 402 { $$ = NULL; } 403 ; 404 cond_rule_def : cond_transition_def 405 { $$ = $1; } 406 | cond_te_avtab_def 407 { $$ = $1; } 408 | require_block 409 { $$ = NULL; } 410 ; 411 cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' 412 { $$ = define_cond_filename_trans() ; 413 if ($$ == COND_ERR) return -1;} 414 | TYPE_TRANSITION names names ':' names identifier ';' 415 { $$ = define_cond_compute_type(AVRULE_TRANSITION) ; 416 if ($$ == COND_ERR) return -1;} 417 | TYPE_MEMBER names names ':' names identifier ';' 418 { $$ = define_cond_compute_type(AVRULE_MEMBER) ; 419 if ($$ == COND_ERR) return -1;} 420 | TYPE_CHANGE names names ':' names identifier ';' 421 { $$ = define_cond_compute_type(AVRULE_CHANGE) ; 422 if ($$ == COND_ERR) return -1;} 423 ; 424 cond_te_avtab_def : cond_allow_def 425 { $$ = $1; } 426 | cond_auditallow_def 427 { $$ = $1; } 428 | cond_auditdeny_def 429 { $$ = $1; } 430 | cond_dontaudit_def 431 { $$ = $1; } 432 ; 433 cond_allow_def : ALLOW names names ':' names names ';' 434 { $$ = define_cond_te_avtab(AVRULE_ALLOWED) ; 435 if ($$ == COND_ERR) return -1; } 436 ; 437 cond_auditallow_def : AUDITALLOW names names ':' names names ';' 438 { $$ = define_cond_te_avtab(AVRULE_AUDITALLOW) ; 439 if ($$ == COND_ERR) return -1; } 440 ; 441 cond_auditdeny_def : AUDITDENY names names ':' names names ';' 442 { $$ = define_cond_te_avtab(AVRULE_AUDITDENY) ; 443 if ($$ == COND_ERR) return -1; } 444 ; 445 cond_dontaudit_def : DONTAUDIT names names ':' names names ';' 446 { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT); 447 if ($$ == COND_ERR) return -1; } 448 ; 449 ; 450 transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' 451 {if (define_filename_trans()) return -1; } 452 | TYPE_TRANSITION names names ':' names identifier ';' 453 {if (define_compute_type(AVRULE_TRANSITION)) return -1;} 454 | TYPE_MEMBER names names ':' names identifier ';' 455 {if (define_compute_type(AVRULE_MEMBER)) return -1;} 456 | TYPE_CHANGE names names ':' names identifier ';' 457 {if (define_compute_type(AVRULE_CHANGE)) return -1;} 458 ; 459 range_trans_def : RANGE_TRANSITION names names mls_range_def ';' 460 { if (define_range_trans(0)) return -1; } 461 | RANGE_TRANSITION names names ':' names mls_range_def ';' 462 { if (define_range_trans(1)) return -1; } 463 ; 464 te_avtab_def : allow_def 465 | auditallow_def 466 | auditdeny_def 467 | dontaudit_def 468 | neverallow_def 469 | xperm_allow_def 470 | xperm_auditallow_def 471 | xperm_dontaudit_def 472 | xperm_neverallow_def 473 ; 474 allow_def : ALLOW names names ':' names names ';' 475 {if (define_te_avtab(AVRULE_ALLOWED)) return -1; } 476 ; 477 auditallow_def : AUDITALLOW names names ':' names names ';' 478 {if (define_te_avtab(AVRULE_AUDITALLOW)) return -1; } 479 ; 480 auditdeny_def : AUDITDENY names names ':' names names ';' 481 {if (define_te_avtab(AVRULE_AUDITDENY)) return -1; } 482 ; 483 dontaudit_def : DONTAUDIT names names ':' names names ';' 484 {if (define_te_avtab(AVRULE_DONTAUDIT)) return -1; } 485 ; 486 neverallow_def : NEVERALLOW names names ':' names names ';' 487 {if (define_te_avtab(AVRULE_NEVERALLOW)) return -1; } 488 ; 489 xperm_allow_def : ALLOWXPERM names names ':' names identifier xperms ';' 490 {if (define_te_avtab_extended_perms(AVRULE_XPERMS_ALLOWED)) return -1; } 491 ; 492 xperm_auditallow_def : AUDITALLOWXPERM names names ':' names identifier xperms ';' 493 {if (define_te_avtab_extended_perms(AVRULE_XPERMS_AUDITALLOW)) return -1; } 494 ; 495 xperm_dontaudit_def : DONTAUDITXPERM names names ':' names identifier xperms ';' 496 {if (define_te_avtab_extended_perms(AVRULE_XPERMS_DONTAUDIT)) return -1; } 497 ; 498 xperm_neverallow_def : NEVERALLOWXPERM names names ':' names identifier xperms ';' 499 {if (define_te_avtab_extended_perms(AVRULE_XPERMS_NEVERALLOW)) return -1; } 500 ; 501 attribute_role_def : ATTRIBUTE_ROLE identifier ';' 502 {if (define_attrib_role()) return -1; } 503 ; 504 role_type_def : ROLE identifier TYPES names ';' 505 {if (define_role_types()) return -1;} 506 ; 507 role_attr_def : ROLE identifier opt_attr_list ';' 508 {if (define_role_attr()) return -1;} 509 ; 510 role_dominance : DOMINANCE '{' roles '}' 511 ; 512 role_trans_def : ROLE_TRANSITION names names identifier ';' 513 {if (define_role_trans(0)) return -1; } 514 | ROLE_TRANSITION names names ':' names identifier ';' 515 {if (define_role_trans(1)) return -1;} 516 ; 517 role_allow_def : ALLOW names names ';' 518 {if (define_role_allow()) return -1; } 519 ; 520 roles : role_def 521 { $$ = $1; } 522 | roles role_def 523 { $$ = merge_roles_dom((role_datum_t*)$1, (role_datum_t*)$2); if ($$ == 0) return -1;} 524 ; 525 role_def : ROLE identifier_push ';' 526 {$$ = define_role_dom(NULL); if ($$ == 0) return -1;} 527 | ROLE identifier_push '{' roles '}' 528 {$$ = define_role_dom((role_datum_t*)$4); if ($$ == 0) return -1;} 529 ; 530 roleattribute_def : ROLEATTRIBUTE identifier id_comma_list ';' 531 {if (define_roleattribute()) return -1;} 532 ; 533 opt_constraints : constraints 534 | 535 ; 536 constraints : constraint_decl 537 | constraints constraint_decl 538 ; 539 constraint_decl : constraint_def 540 | validatetrans_def 541 ; 542 constraint_def : CONSTRAIN names names cexpr ';' 543 { if (define_constraint((constraint_expr_t*)$4)) return -1; } 544 ; 545 validatetrans_def : VALIDATETRANS names cexpr ';' 546 { if (define_validatetrans((constraint_expr_t*)$3)) return -1; } 547 ; 548 cexpr : '(' cexpr ')' 549 { $$ = $2; } 550 | NOT cexpr 551 { $$ = define_cexpr(CEXPR_NOT, $2, 0); 552 if ($$ == 0) return -1; } 553 | cexpr AND cexpr 554 { $$ = define_cexpr(CEXPR_AND, $1, $3); 555 if ($$ == 0) return -1; } 556 | cexpr OR cexpr 557 { $$ = define_cexpr(CEXPR_OR, $1, $3); 558 if ($$ == 0) return -1; } 559 | cexpr_prim 560 { $$ = $1; } 561 ; 562 cexpr_prim : U1 op U2 563 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, $2); 564 if ($$ == 0) return -1; } 565 | R1 role_mls_op R2 566 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2); 567 if ($$ == 0) return -1; } 568 | T1 op T2 569 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2); 570 if ($$ == 0) return -1; } 571 | U1 op { if (insert_separator(1)) return -1; } names_push 572 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2); 573 if ($$ == 0) return -1; } 574 | U2 op { if (insert_separator(1)) return -1; } names_push 575 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2); 576 if ($$ == 0) return -1; } 577 | U3 op { if (insert_separator(1)) return -1; } names_push 578 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2); 579 if ($$ == 0) return -1; } 580 | R1 op { if (insert_separator(1)) return -1; } names_push 581 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, $2); 582 if ($$ == 0) return -1; } 583 | R2 op { if (insert_separator(1)) return -1; } names_push 584 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), $2); 585 if ($$ == 0) return -1; } 586 | R3 op { if (insert_separator(1)) return -1; } names_push 587 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_XTARGET), $2); 588 if ($$ == 0) return -1; } 589 | T1 op { if (insert_separator(1)) return -1; } names_push 590 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, $2); 591 if ($$ == 0) return -1; } 592 | T2 op { if (insert_separator(1)) return -1; } names_push 593 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), $2); 594 if ($$ == 0) return -1; } 595 | T3 op { if (insert_separator(1)) return -1; } names_push 596 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_XTARGET), $2); 597 if ($$ == 0) return -1; } 598 | SAMEUSER 599 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, CEXPR_EQ); 600 if ($$ == 0) return -1; } 601 | SOURCE ROLE { if (insert_separator(1)) return -1; } names_push 602 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, CEXPR_EQ); 603 if ($$ == 0) return -1; } 604 | TARGET ROLE { if (insert_separator(1)) return -1; } names_push 605 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), CEXPR_EQ); 606 if ($$ == 0) return -1; } 607 | ROLE role_mls_op 608 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2); 609 if ($$ == 0) return -1; } 610 | SOURCE TYPE { if (insert_separator(1)) return -1; } names_push 611 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, CEXPR_EQ); 612 if ($$ == 0) return -1; } 613 | TARGET TYPE { if (insert_separator(1)) return -1; } names_push 614 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), CEXPR_EQ); 615 if ($$ == 0) return -1; } 616 | L1 role_mls_op L2 617 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1L2, $2); 618 if ($$ == 0) return -1; } 619 | L1 role_mls_op H2 620 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H2, $2); 621 if ($$ == 0) return -1; } 622 | H1 role_mls_op L2 623 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1L2, $2); 624 if ($$ == 0) return -1; } 625 | H1 role_mls_op H2 626 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1H2, $2); 627 if ($$ == 0) return -1; } 628 | L1 role_mls_op H1 629 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H1, $2); 630 if ($$ == 0) return -1; } 631 | L2 role_mls_op H2 632 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L2H2, $2); 633 if ($$ == 0) return -1; } 634 ; 635 op : EQUALS 636 { $$ = CEXPR_EQ; } 637 | NOTEQUAL 638 { $$ = CEXPR_NEQ; } 639 ; 640 role_mls_op : op 641 { $$ = $1; } 642 | DOM 643 { $$ = CEXPR_DOM; } 644 | DOMBY 645 { $$ = CEXPR_DOMBY; } 646 | INCOMP 647 { $$ = CEXPR_INCOMP; } 648 ; 649 users : user_def 650 | users user_def 651 ; 652 user_def : USER identifier ROLES names opt_mls_user ';' 653 {if (define_user()) return -1;} 654 ; 655 opt_mls_user : LEVEL mls_level_def RANGE mls_range_def 656 | 657 ; 658 initial_sid_contexts : initial_sid_context_def 659 | initial_sid_contexts initial_sid_context_def 660 ; 661 initial_sid_context_def : SID identifier security_context_def 662 {if (define_initial_sid_context()) return -1;} 663 ; 664 opt_dev_contexts : dev_contexts | 665 ; 666 dev_contexts : dev_context_def 667 | dev_contexts dev_context_def 668 ; 669 dev_context_def : pirq_context_def | 670 iomem_context_def | 671 ioport_context_def | 672 pci_context_def | 673 dtree_context_def 674 ; 675 pirq_context_def : PIRQCON number security_context_def 676 {if (define_pirq_context($2)) return -1;} 677 ; 678 iomem_context_def : IOMEMCON number64 security_context_def 679 {if (define_iomem_context($2,$2)) return -1;} 680 | IOMEMCON number64 '-' number64 security_context_def 681 {if (define_iomem_context($2,$4)) return -1;} 682 ; 683 ioport_context_def : IOPORTCON number security_context_def 684 {if (define_ioport_context($2,$2)) return -1;} 685 | IOPORTCON number '-' number security_context_def 686 {if (define_ioport_context($2,$4)) return -1;} 687 ; 688 pci_context_def : PCIDEVICECON number security_context_def 689 {if (define_pcidevice_context($2)) return -1;} 690 ; 691 dtree_context_def : DEVICETREECON path security_context_def 692 {if (define_devicetree_context()) return -1;} 693 ; 694 opt_fs_contexts : fs_contexts 695 | 696 ; 697 fs_contexts : fs_context_def 698 | fs_contexts fs_context_def 699 ; 700 fs_context_def : FSCON number number security_context_def security_context_def 701 {if (define_fs_context($2,$3)) return -1;} 702 ; 703 net_contexts : opt_port_contexts opt_netif_contexts opt_node_contexts 704 ; 705 opt_port_contexts : port_contexts 706 | 707 ; 708 port_contexts : port_context_def 709 | port_contexts port_context_def 710 ; 711 port_context_def : PORTCON identifier number security_context_def 712 {if (define_port_context($3,$3)) return -1;} 713 | PORTCON identifier number '-' number security_context_def 714 {if (define_port_context($3,$5)) return -1;} 715 ; 716 opt_netif_contexts : netif_contexts 717 | 718 ; 719 netif_contexts : netif_context_def 720 | netif_contexts netif_context_def 721 ; 722 netif_context_def : NETIFCON identifier security_context_def security_context_def 723 {if (define_netif_context()) return -1;} 724 ; 725 opt_node_contexts : node_contexts 726 | 727 ; 728 node_contexts : node_context_def 729 | node_contexts node_context_def 730 ; 731 node_context_def : NODECON ipv4_addr_def ipv4_addr_def security_context_def 732 {if (define_ipv4_node_context()) return -1;} 733 | NODECON ipv6_addr ipv6_addr security_context_def 734 {if (define_ipv6_node_context()) return -1;} 735 ; 736 opt_fs_uses : fs_uses 737 | 738 ; 739 fs_uses : fs_use_def 740 | fs_uses fs_use_def 741 ; 742 fs_use_def : FSUSEXATTR filesystem security_context_def ';' 743 {if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;} 744 | FSUSETASK identifier security_context_def ';' 745 {if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;} 746 | FSUSETRANS identifier security_context_def ';' 747 {if (define_fs_use(SECURITY_FS_USE_TRANS)) return -1;} 748 ; 749 opt_genfs_contexts : genfs_contexts 750 | 751 ; 752 genfs_contexts : genfs_context_def 753 | genfs_contexts genfs_context_def 754 ; 755 genfs_context_def : GENFSCON filesystem path '-' identifier security_context_def 756 {if (define_genfs_context(1)) return -1;} 757 | GENFSCON filesystem path '-' '-' {insert_id("-", 0);} security_context_def 758 {if (define_genfs_context(1)) return -1;} 759 | GENFSCON filesystem path security_context_def 760 {if (define_genfs_context(0)) return -1;} 761 ; 762 ipv4_addr_def : IPV4_ADDR 763 { if (insert_id(yytext,0)) return -1; } 764 ; 765 xperms : xperm 766 { if (insert_separator(0)) return -1; } 767 | nested_xperm_set 768 { if (insert_separator(0)) return -1; } 769 | tilde xperm 770 { if (insert_id("~", 0)) return -1; } 771 | tilde nested_xperm_set 772 { if (insert_id("~", 0)) return -1; 773 if (insert_separator(0)) return -1; } 774 ; 775 nested_xperm_set : '{' nested_xperm_list '}' 776 ; 777 nested_xperm_list : nested_xperm_element 778 | nested_xperm_list nested_xperm_element 779 ; 780 nested_xperm_element: xperm '-' { if (insert_id("-", 0)) return -1; } xperm 781 | xperm 782 | nested_xperm_set 783 ; 784 xperm : number 785 { if (insert_id(yytext,0)) return -1; } 786 ; 787 security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def 788 ; 789 opt_mls_range_def : ':' mls_range_def 790 | 791 ; 792 mls_range_def : mls_level_def '-' mls_level_def 793 {if (insert_separator(0)) return -1;} 794 | mls_level_def 795 {if (insert_separator(0)) return -1;} 796 ; 797 mls_level_def : identifier ':' id_comma_list 798 {if (insert_separator(0)) return -1;} 799 | identifier 800 {if (insert_separator(0)) return -1;} 801 ; 802 id_comma_list : identifier 803 | id_comma_list ',' identifier 804 ; 805 tilde : '~' 806 ; 807 asterisk : '*' 808 ; 809 names : identifier 810 { if (insert_separator(0)) return -1; } 811 | nested_id_set 812 { if (insert_separator(0)) return -1; } 813 | asterisk 814 { if (insert_id("*", 0)) return -1; 815 if (insert_separator(0)) return -1; } 816 | tilde identifier 817 { if (insert_id("~", 0)) return -1; 818 if (insert_separator(0)) return -1; } 819 | tilde nested_id_set 820 { if (insert_id("~", 0)) return -1; 821 if (insert_separator(0)) return -1; } 822 | identifier '-' { if (insert_id("-", 0)) return -1; } identifier 823 { if (insert_separator(0)) return -1; } 824 ; 825 tilde_push : tilde 826 { if (insert_id("~", 1)) return -1; } 827 ; 828 asterisk_push : asterisk 829 { if (insert_id("*", 1)) return -1; } 830 ; 831 names_push : identifier_push 832 | '{' identifier_list_push '}' 833 | asterisk_push 834 | tilde_push identifier_push 835 | tilde_push '{' identifier_list_push '}' 836 ; 837 identifier_list_push : identifier_push 838 | identifier_list_push identifier_push 839 ; 840 identifier_push : IDENTIFIER 841 { if (insert_id(yytext, 1)) return -1; } 842 ; 843 identifier_list : identifier 844 | identifier_list identifier 845 ; 846 nested_id_set : '{' nested_id_list '}' 847 ; 848 nested_id_list : nested_id_element | nested_id_list nested_id_element 849 ; 850 nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; } identifier | nested_id_set 851 ; 852 identifier : IDENTIFIER 853 { if (insert_id(yytext,0)) return -1; } 854 ; 855 filesystem : FILESYSTEM 856 { if (insert_id(yytext,0)) return -1; } 857 | IDENTIFIER 858 { if (insert_id(yytext,0)) return -1; } 859 ; 860 path : PATH 861 { if (insert_id(yytext,0)) return -1; } 862 | QPATH 863 { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; } 864 ; 865 filename : FILENAME 866 { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; } 867 ; 868 number : NUMBER 869 { $$ = strtoul(yytext,NULL,0); } 870 ; 871 number64 : NUMBER 872 { $$ = strtoull(yytext,NULL,0); } 873 ; 874 ipv6_addr : IPV6_ADDR 875 { if (insert_id(yytext,0)) return -1; } 876 ; 877 policycap_def : POLICYCAP identifier ';' 878 {if (define_polcap()) return -1;} 879 ; 880 permissive_def : PERMISSIVE identifier ';' 881 {if (define_permissive()) return -1;} 882 883 /*********** module grammar below ***********/ 884 885 module_policy : module_def avrules_block 886 { if (end_avrule_block(pass) == -1) return -1; 887 if (policydb_index_others(NULL, policydbp, 0)) return -1; 888 } 889 ; 890 module_def : MODULE identifier version_identifier ';' 891 { if (define_policy(pass, 1) == -1) return -1; } 892 ; 893 version_identifier : VERSION_IDENTIFIER 894 { if (insert_id(yytext,0)) return -1; } 895 | number 896 { if (insert_id(yytext,0)) return -1; } 897 | ipv4_addr_def /* version can look like ipv4 address */ 898 ; 899 avrules_block : avrule_decls avrule_user_defs 900 ; 901 avrule_decls : avrule_decls avrule_decl 902 | avrule_decl 903 ; 904 avrule_decl : rbac_decl 905 | te_decl 906 | cond_stmt_def 907 | require_block 908 | optional_block 909 | ';' 910 ; 911 require_block : REQUIRE '{' require_list '}' 912 ; 913 require_list : require_list require_decl 914 | require_decl 915 ; 916 require_decl : require_class ';' 917 | require_decl_def require_id_list ';' 918 ; 919 require_class : CLASS identifier names 920 { if (require_class(pass)) return -1; } 921 ; 922 require_decl_def : ROLE { $$ = require_role; } 923 | TYPE { $$ = require_type; } 924 | ATTRIBUTE { $$ = require_attribute; } 925 | ATTRIBUTE_ROLE { $$ = require_attribute_role; } 926 | USER { $$ = require_user; } 927 | BOOL { $$ = require_bool; } 928 | TUNABLE { $$ = require_tunable; } 929 | SENSITIVITY { $$ = require_sens; } 930 | CATEGORY { $$ = require_cat; } 931 ; 932 require_id_list : identifier 933 { if ($<require_func>0 (pass)) return -1; } 934 | require_id_list ',' identifier 935 { if ($<require_func>0 (pass)) return -1; } 936 ; 937 optional_block : optional_decl '{' avrules_block '}' 938 { if (end_avrule_block(pass) == -1) return -1; } 939 optional_else 940 { if (end_optional(pass) == -1) return -1; } 941 ; 942 optional_else : else_decl '{' avrules_block '}' 943 { if (end_avrule_block(pass) == -1) return -1; } 944 | /* empty */ 945 ; 946 optional_decl : OPTIONAL 947 { if (begin_optional(pass) == -1) return -1; } 948 ; 949 else_decl : ELSE 950 { if (begin_optional_else(pass) == -1) return -1; } 951 ; 952 avrule_user_defs : user_def avrule_user_defs 953 | /* empty */ 954 ; 955