1 2 /* 3 * Author : Stephen Smalley, <[email protected]> 4 */ 5 6 /* 7 * Updated: Trusted Computer Solutions, Inc. <[email protected]> 8 * 9 * Support for enhanced MLS infrastructure. 10 * 11 * Updated: David Caplan, <[email protected]> 12 * 13 * Added conditional policy language extensions 14 * 15 * Updated: Joshua Brindle <[email protected]> 16 * Karl MacMillan <[email protected]> 17 * Jason Tang <[email protected]> 18 * 19 * Added support for binary policy modules 20 * 21 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 22 * Copyright (C) 2003 - 2008 Tresys Technology, LLC 23 * Copyright (C) 2007 Red Hat Inc. 24 * Copyright (C) 2017 Mellanox Technologies Inc. 25 * This program is free software; you can redistribute it and/or modify 26 * it under the terms of the GNU General Public License as published by 27 * the Free Software Foundation, version 2. 28 */ 29 30 /* FLASK */ 31 32 %{ 33 #include <sys/types.h> 34 #include <assert.h> 35 #include <stdarg.h> 36 #include <stdint.h> 37 #include <stdio.h> 38 #include <stdlib.h> 39 #include <string.h> 40 #include <sys/socket.h> 41 #include <netinet/in.h> 42 #include <arpa/inet.h> 43 #include <stdlib.h> 44 45 #include <sepol/policydb/expand.h> 46 #include <sepol/policydb/policydb.h> 47 #include <sepol/policydb/services.h> 48 #include <sepol/policydb/conditional.h> 49 #include <sepol/policydb/hierarchy.h> 50 #include <sepol/policydb/polcaps.h> 51 #include "queue.h" 52 #include "module_compiler.h" 53 #include "policy_define.h" 54 55 extern policydb_t *policydbp; 56 extern unsigned int pass; 57 58 extern char yytext[]; 59 extern int yylex(void); 60 extern int yywarn(const char *msg); 61 extern int yyerror(const char *msg); 62 63 typedef int (* require_func_t)(int pass); 64 65 %} 66 67 %union { 68 unsigned int val; 69 uint64_t val64; 70 uintptr_t valptr; 71 void *ptr; 72 require_func_t require_func; 73 } 74 75 %type <ptr> cond_expr cond_expr_prim cond_pol_list cond_else 76 %type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def 77 %type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def 78 %type <valptr> cexpr cexpr_prim op role_mls_op 79 %type <val> ipv4_addr_def number 80 %type <val64> number64 81 %type <require_func> require_decl_def 82 83 %token PATH 84 %token QPATH 85 %token FILENAME 86 %token COMMON 87 %token CLASS 88 %token CONSTRAIN 89 %token VALIDATETRANS 90 %token INHERITS 91 %token SID 92 %token ROLE 93 %token ROLEATTRIBUTE 94 %token ATTRIBUTE_ROLE 95 %token ROLES 96 %token TYPEALIAS 97 %token TYPEATTRIBUTE 98 %token TYPEBOUNDS 99 %token TYPE 100 %token TYPES 101 %token ALIAS 102 %token ATTRIBUTE 103 %token EXPANDATTRIBUTE 104 %token BOOL 105 %token TUNABLE 106 %token IF 107 %token ELSE 108 %token TYPE_TRANSITION 109 %token TYPE_MEMBER 110 %token TYPE_CHANGE 111 %token ROLE_TRANSITION 112 %token RANGE_TRANSITION 113 %token SENSITIVITY 114 %token DOMINANCE 115 %token DOM DOMBY INCOMP 116 %token CATEGORY 117 %token LEVEL 118 %token RANGE 119 %token MLSCONSTRAIN 120 %token MLSVALIDATETRANS 121 %token USER 122 %token NEVERALLOW 123 %token ALLOW 124 %token AUDITALLOW 125 %token AUDITDENY 126 %token DONTAUDIT 127 %token ALLOWXPERM 128 %token AUDITALLOWXPERM 129 %token DONTAUDITXPERM 130 %token NEVERALLOWXPERM 131 %token SOURCE 132 %token TARGET 133 %token SAMEUSER 134 %token FSCON PORTCON NETIFCON NODECON 135 %token IBPKEYCON 136 %token IBENDPORTCON 137 %token PIRQCON IOMEMCON IOPORTCON PCIDEVICECON DEVICETREECON 138 %token FSUSEXATTR FSUSETASK FSUSETRANS 139 %token GENFSCON 140 %token U1 U2 U3 R1 R2 R3 T1 T2 T3 L1 L2 H1 H2 141 %token NOT AND OR XOR 142 %token CTRUE CFALSE 143 %token IDENTIFIER 144 %token NUMBER 145 %token EQUALS 146 %token NOTEQUAL 147 %token IPV4_ADDR 148 %token IPV4_CIDR 149 %token IPV6_ADDR 150 %token IPV6_CIDR 151 %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL 152 %token POLICYCAP 153 %token PERMISSIVE 154 %token FILESYSTEM 155 %token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE 156 %token LOW_HIGH LOW HIGH GLBLUB 157 %token INVALID_CHAR 158 159 %left OR 160 %left XOR 161 %left AND 162 %right NOT 163 %left EQUALS NOTEQUAL 164 %% 165 policy : base_policy 166 | module_policy 167 ; 168 base_policy : { if (define_policy(pass, 0) == -1) YYABORT; } 169 classes initial_sids access_vectors 170 { if (pass == 1) { if (policydb_index_classes(policydbp)) YYABORT; } 171 else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) YYABORT; }} 172 opt_default_rules opt_mls te_rbac users opt_constraints 173 { if (pass == 1) { if (policydb_index_bools(policydbp)) YYABORT; } 174 else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) YYABORT; }} 175 initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts opt_ibpkey_contexts opt_ibendport_contexts 176 ; 177 classes : class_def 178 | classes class_def 179 ; 180 class_def : CLASS identifier 181 {if (define_class()) YYABORT;} 182 ; 183 initial_sids : initial_sid_def 184 | initial_sids initial_sid_def 185 ; 186 initial_sid_def : SID identifier 187 {if (define_initial_sid()) YYABORT;} 188 ; 189 access_vectors : opt_common_perms av_perms 190 ; 191 opt_common_perms : common_perms 192 | 193 ; 194 common_perms : common_perms_def 195 | common_perms common_perms_def 196 ; 197 common_perms_def : COMMON identifier '{' identifier_list '}' 198 {if (define_common_perms()) YYABORT;} 199 ; 200 av_perms : av_perms_def 201 | av_perms av_perms_def 202 ; 203 av_perms_def : CLASS identifier '{' identifier_list '}' 204 {if (define_av_perms(FALSE)) YYABORT;} 205 | CLASS identifier INHERITS identifier 206 {if (define_av_perms(TRUE)) YYABORT;} 207 | CLASS identifier INHERITS identifier '{' identifier_list '}' 208 {if (define_av_perms(TRUE)) YYABORT;} 209 ; 210 opt_default_rules : default_rules 211 | 212 ; 213 default_rules : default_user_def 214 | default_role_def 215 | default_type_def 216 | default_range_def 217 | default_rules default_user_def 218 | default_rules default_role_def 219 | default_rules default_type_def 220 | default_rules default_range_def 221 ; 222 default_user_def : DEFAULT_USER names SOURCE ';' 223 {if (define_default_user(DEFAULT_SOURCE)) YYABORT; } 224 | DEFAULT_USER names TARGET ';' 225 {if (define_default_user(DEFAULT_TARGET)) YYABORT; } 226 ; 227 default_role_def : DEFAULT_ROLE names SOURCE ';' 228 {if (define_default_role(DEFAULT_SOURCE)) YYABORT; } 229 | DEFAULT_ROLE names TARGET ';' 230 {if (define_default_role(DEFAULT_TARGET)) YYABORT; } 231 ; 232 default_type_def : DEFAULT_TYPE names SOURCE ';' 233 {if (define_default_type(DEFAULT_SOURCE)) YYABORT;; } 234 | DEFAULT_TYPE names TARGET ';' 235 {if (define_default_type(DEFAULT_TARGET)) YYABORT; } 236 ; 237 default_range_def : DEFAULT_RANGE names SOURCE LOW ';' 238 {if (define_default_range(DEFAULT_SOURCE_LOW)) YYABORT; } 239 | DEFAULT_RANGE names SOURCE HIGH ';' 240 {if (define_default_range(DEFAULT_SOURCE_HIGH)) YYABORT; } 241 | DEFAULT_RANGE names SOURCE LOW_HIGH ';' 242 {if (define_default_range(DEFAULT_SOURCE_LOW_HIGH)) YYABORT; } 243 | DEFAULT_RANGE names TARGET LOW ';' 244 {if (define_default_range(DEFAULT_TARGET_LOW)) YYABORT; } 245 | DEFAULT_RANGE names TARGET HIGH ';' 246 {if (define_default_range(DEFAULT_TARGET_HIGH)) YYABORT; } 247 | DEFAULT_RANGE names TARGET LOW_HIGH ';' 248 {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) YYABORT; } 249 | DEFAULT_RANGE names GLBLUB';' 250 {if (define_default_range(DEFAULT_GLBLUB)) YYABORT; } 251 ; 252 opt_mls : mls 253 | 254 ; 255 mls : sensitivities dominance opt_categories levels mlspolicy 256 ; 257 sensitivities : sensitivity_def 258 | sensitivities sensitivity_def 259 ; 260 sensitivity_def : SENSITIVITY identifier alias_def ';' 261 {if (define_sens()) YYABORT;} 262 | SENSITIVITY identifier ';' 263 {if (define_sens()) YYABORT;} 264 ; 265 alias_def : ALIAS names 266 ; 267 dominance : DOMINANCE identifier 268 {if (define_dominance()) YYABORT;} 269 | DOMINANCE '{' identifier_list '}' 270 {if (define_dominance()) YYABORT;} 271 ; 272 opt_categories : categories 273 | 274 ; 275 categories : category_def 276 | categories category_def 277 ; 278 category_def : CATEGORY identifier alias_def ';' 279 {if (define_category()) YYABORT;} 280 | CATEGORY identifier ';' 281 {if (define_category()) YYABORT;} 282 ; 283 levels : level_def 284 | levels level_def 285 ; 286 level_def : LEVEL identifier ':' id_comma_list ';' 287 {if (define_level()) YYABORT;} 288 | LEVEL identifier ';' 289 {if (define_level()) YYABORT;} 290 ; 291 mlspolicy : mlspolicy_decl 292 | mlspolicy mlspolicy_decl 293 ; 294 mlspolicy_decl : mlsconstraint_def 295 | mlsvalidatetrans_def 296 ; 297 mlsconstraint_def : MLSCONSTRAIN names names cexpr ';' 298 { if (define_constraint((constraint_expr_t*)$4)) YYABORT; } 299 ; 300 mlsvalidatetrans_def : MLSVALIDATETRANS names cexpr ';' 301 { if (define_validatetrans((constraint_expr_t*)$3)) YYABORT; } 302 ; 303 te_rbac : te_rbac_decl 304 | te_rbac te_rbac_decl 305 ; 306 te_rbac_decl : te_decl 307 | rbac_decl 308 | cond_stmt_def 309 | optional_block 310 | policycap_def 311 | ';' 312 ; 313 rbac_decl : attribute_role_def 314 | role_type_def 315 | role_trans_def 316 | role_allow_def 317 | roleattribute_def 318 | role_attr_def 319 ; 320 te_decl : attribute_def 321 | expandattribute_def 322 | type_def 323 | typealias_def 324 | typeattribute_def 325 | typebounds_def 326 | bool_def 327 | tunable_def 328 | transition_def 329 | range_trans_def 330 | te_avtab_def 331 | permissive_def 332 ; 333 attribute_def : ATTRIBUTE identifier ';' 334 { if (define_attrib()) YYABORT;} 335 ; 336 expandattribute_def : EXPANDATTRIBUTE names bool_val ';' 337 { if (expand_attrib()) YYABORT;} 338 ; 339 type_def : TYPE identifier alias_def opt_attr_list ';' 340 {if (define_type(1)) YYABORT;} 341 | TYPE identifier opt_attr_list ';' 342 {if (define_type(0)) YYABORT;} 343 ; 344 typealias_def : TYPEALIAS identifier alias_def ';' 345 {if (define_typealias()) YYABORT;} 346 ; 347 typeattribute_def : TYPEATTRIBUTE identifier id_comma_list ';' 348 {if (define_typeattribute()) YYABORT;} 349 ; 350 typebounds_def : TYPEBOUNDS identifier id_comma_list ';' 351 {if (define_typebounds()) YYABORT;} 352 ; 353 opt_attr_list : ',' id_comma_list 354 | 355 ; 356 bool_def : BOOL identifier bool_val ';' 357 { if (define_bool_tunable(0)) YYABORT; } 358 ; 359 tunable_def : TUNABLE identifier bool_val ';' 360 { if (define_bool_tunable(1)) YYABORT; } 361 ; 362 bool_val : CTRUE 363 { if (insert_id("T",0)) YYABORT; } 364 | CFALSE 365 { if (insert_id("F",0)) YYABORT; } 366 ; 367 cond_stmt_def : IF cond_expr '{' cond_pol_list '}' cond_else 368 { if (pass == 2) { if (define_conditional((cond_expr_t*)$2, (avrule_t*)$4, (avrule_t*)$6) < 0) YYABORT; }} 369 ; 370 cond_else : ELSE '{' cond_pol_list '}' 371 { $$ = $3; } 372 | /* empty */ 373 { $$ = NULL; } 374 ; 375 cond_expr : '(' cond_expr ')' 376 { $$ = $2;} 377 | NOT cond_expr 378 { $$ = define_cond_expr(COND_NOT, $2, 0); 379 if ($$ == 0) YYABORT; } 380 | cond_expr AND cond_expr 381 { $$ = define_cond_expr(COND_AND, $1, $3); 382 if ($$ == 0) YYABORT; } 383 | cond_expr OR cond_expr 384 { $$ = define_cond_expr(COND_OR, $1, $3); 385 if ($$ == 0) YYABORT; } 386 | cond_expr XOR cond_expr 387 { $$ = define_cond_expr(COND_XOR, $1, $3); 388 if ($$ == 0) YYABORT; } 389 | cond_expr EQUALS cond_expr 390 { $$ = define_cond_expr(COND_EQ, $1, $3); 391 if ($$ == 0) YYABORT; } 392 | cond_expr NOTEQUAL cond_expr 393 { $$ = define_cond_expr(COND_NEQ, $1, $3); 394 if ($$ == 0) YYABORT; } 395 | cond_expr_prim 396 { $$ = $1; } 397 ; 398 cond_expr_prim : identifier 399 { $$ = define_cond_expr(COND_BOOL,0, 0); 400 if ($$ == COND_ERR) YYABORT; } 401 ; 402 cond_pol_list : cond_pol_list cond_rule_def 403 { $$ = define_cond_pol_list((avrule_t *)$1, (avrule_t *)$2); } 404 | /* empty */ 405 { $$ = NULL; } 406 ; 407 cond_rule_def : cond_transition_def 408 { $$ = $1; } 409 | cond_te_avtab_def 410 { $$ = $1; } 411 | require_block 412 { $$ = NULL; } 413 ; 414 cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' 415 { $$ = define_cond_filename_trans() ; 416 if ($$ == COND_ERR) YYABORT;} 417 | TYPE_TRANSITION names names ':' names identifier ';' 418 { $$ = define_cond_compute_type(AVRULE_TRANSITION) ; 419 if ($$ == COND_ERR) YYABORT;} 420 | TYPE_MEMBER names names ':' names identifier ';' 421 { $$ = define_cond_compute_type(AVRULE_MEMBER) ; 422 if ($$ == COND_ERR) YYABORT;} 423 | TYPE_CHANGE names names ':' names identifier ';' 424 { $$ = define_cond_compute_type(AVRULE_CHANGE) ; 425 if ($$ == COND_ERR) YYABORT;} 426 ; 427 cond_te_avtab_def : cond_allow_def 428 { $$ = $1; } 429 | cond_auditallow_def 430 { $$ = $1; } 431 | cond_auditdeny_def 432 { $$ = $1; } 433 | cond_dontaudit_def 434 { $$ = $1; } 435 ; 436 cond_allow_def : ALLOW names names ':' names names ';' 437 { $$ = define_cond_te_avtab(AVRULE_ALLOWED) ; 438 if ($$ == COND_ERR) YYABORT; } 439 ; 440 cond_auditallow_def : AUDITALLOW names names ':' names names ';' 441 { $$ = define_cond_te_avtab(AVRULE_AUDITALLOW) ; 442 if ($$ == COND_ERR) YYABORT; } 443 ; 444 cond_auditdeny_def : AUDITDENY names names ':' names names ';' 445 { $$ = define_cond_te_avtab(AVRULE_AUDITDENY) ; 446 if ($$ == COND_ERR) YYABORT; } 447 ; 448 cond_dontaudit_def : DONTAUDIT names names ':' names names ';' 449 { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT); 450 if ($$ == COND_ERR) YYABORT; } 451 ; 452 ; 453 transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' 454 {if (define_filename_trans()) YYABORT; } 455 | TYPE_TRANSITION names names ':' names identifier ';' 456 {if (define_compute_type(AVRULE_TRANSITION)) YYABORT;} 457 | TYPE_MEMBER names names ':' names identifier ';' 458 {if (define_compute_type(AVRULE_MEMBER)) YYABORT;} 459 | TYPE_CHANGE names names ':' names identifier ';' 460 {if (define_compute_type(AVRULE_CHANGE)) YYABORT;} 461 ; 462 range_trans_def : RANGE_TRANSITION names names mls_range_def ';' 463 { if (define_range_trans(0)) YYABORT; } 464 | RANGE_TRANSITION names names ':' names mls_range_def ';' 465 { if (define_range_trans(1)) YYABORT; } 466 ; 467 te_avtab_def : allow_def 468 | auditallow_def 469 | auditdeny_def 470 | dontaudit_def 471 | neverallow_def 472 | xperm_allow_def 473 | xperm_auditallow_def 474 | xperm_dontaudit_def 475 | xperm_neverallow_def 476 ; 477 allow_def : ALLOW names names ':' names names ';' 478 {if (define_te_avtab(AVRULE_ALLOWED)) YYABORT; } 479 ; 480 auditallow_def : AUDITALLOW names names ':' names names ';' 481 {if (define_te_avtab(AVRULE_AUDITALLOW)) YYABORT; } 482 ; 483 auditdeny_def : AUDITDENY names names ':' names names ';' 484 {if (define_te_avtab(AVRULE_AUDITDENY)) YYABORT; } 485 ; 486 dontaudit_def : DONTAUDIT names names ':' names names ';' 487 {if (define_te_avtab(AVRULE_DONTAUDIT)) YYABORT; } 488 ; 489 neverallow_def : NEVERALLOW names names ':' names names ';' 490 {if (define_te_avtab(AVRULE_NEVERALLOW)) YYABORT; } 491 ; 492 xperm_allow_def : ALLOWXPERM names names ':' names identifier xperms ';' 493 {if (define_te_avtab_extended_perms(AVRULE_XPERMS_ALLOWED)) YYABORT; } 494 ; 495 xperm_auditallow_def : AUDITALLOWXPERM names names ':' names identifier xperms ';' 496 {if (define_te_avtab_extended_perms(AVRULE_XPERMS_AUDITALLOW)) YYABORT; } 497 ; 498 xperm_dontaudit_def : DONTAUDITXPERM names names ':' names identifier xperms ';' 499 {if (define_te_avtab_extended_perms(AVRULE_XPERMS_DONTAUDIT)) YYABORT; } 500 ; 501 xperm_neverallow_def : NEVERALLOWXPERM names names ':' names identifier xperms ';' 502 {if (define_te_avtab_extended_perms(AVRULE_XPERMS_NEVERALLOW)) YYABORT; } 503 ; 504 attribute_role_def : ATTRIBUTE_ROLE identifier ';' 505 {if (define_attrib_role()) YYABORT; } 506 ; 507 role_type_def : ROLE identifier TYPES names ';' 508 {if (define_role_types()) YYABORT;} 509 ; 510 role_attr_def : ROLE identifier opt_attr_list ';' 511 {if (define_role_attr()) YYABORT;} 512 ; 513 role_trans_def : ROLE_TRANSITION names names identifier ';' 514 {if (define_role_trans(0)) YYABORT; } 515 | ROLE_TRANSITION names names ':' names identifier ';' 516 {if (define_role_trans(1)) YYABORT;} 517 ; 518 role_allow_def : ALLOW names names ';' 519 {if (define_role_allow()) YYABORT; } 520 ; 521 roleattribute_def : ROLEATTRIBUTE identifier id_comma_list ';' 522 {if (define_roleattribute()) YYABORT;} 523 ; 524 opt_constraints : constraints 525 | 526 ; 527 constraints : constraint_decl 528 | constraints constraint_decl 529 ; 530 constraint_decl : constraint_def 531 | validatetrans_def 532 ; 533 constraint_def : CONSTRAIN names names cexpr ';' 534 { if (define_constraint((constraint_expr_t*)$4)) YYABORT; } 535 ; 536 validatetrans_def : VALIDATETRANS names cexpr ';' 537 { if (define_validatetrans((constraint_expr_t*)$3)) YYABORT; } 538 ; 539 cexpr : '(' cexpr ')' 540 { $$ = $2; } 541 | NOT cexpr 542 { $$ = define_cexpr(CEXPR_NOT, $2, 0); 543 if ($$ == 0) YYABORT; } 544 | cexpr AND cexpr 545 { $$ = define_cexpr(CEXPR_AND, $1, $3); 546 if ($$ == 0) YYABORT; } 547 | cexpr OR cexpr 548 { $$ = define_cexpr(CEXPR_OR, $1, $3); 549 if ($$ == 0) YYABORT; } 550 | cexpr_prim 551 { $$ = $1; } 552 ; 553 cexpr_prim : U1 op U2 554 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, $2); 555 if ($$ == 0) YYABORT; } 556 | R1 role_mls_op R2 557 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2); 558 if ($$ == 0) YYABORT; } 559 | T1 op T2 560 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2); 561 if ($$ == 0) YYABORT; } 562 | U1 op { if (insert_separator(1)) YYABORT; } names_push 563 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2); 564 if ($$ == 0) YYABORT; } 565 | U2 op { if (insert_separator(1)) YYABORT; } names_push 566 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2); 567 if ($$ == 0) YYABORT; } 568 | U3 op { if (insert_separator(1)) YYABORT; } names_push 569 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2); 570 if ($$ == 0) YYABORT; } 571 | R1 op { if (insert_separator(1)) YYABORT; } names_push 572 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, $2); 573 if ($$ == 0) YYABORT; } 574 | R2 op { if (insert_separator(1)) YYABORT; } names_push 575 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), $2); 576 if ($$ == 0) YYABORT; } 577 | R3 op { if (insert_separator(1)) YYABORT; } names_push 578 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_XTARGET), $2); 579 if ($$ == 0) YYABORT; } 580 | T1 op { if (insert_separator(1)) YYABORT; } names_push 581 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, $2); 582 if ($$ == 0) YYABORT; } 583 | T2 op { if (insert_separator(1)) YYABORT; } names_push 584 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), $2); 585 if ($$ == 0) YYABORT; } 586 | T3 op { if (insert_separator(1)) YYABORT; } names_push 587 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_XTARGET), $2); 588 if ($$ == 0) YYABORT; } 589 | SAMEUSER 590 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, CEXPR_EQ); 591 if ($$ == 0) YYABORT; } 592 | SOURCE ROLE { if (insert_separator(1)) YYABORT; } names_push 593 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, CEXPR_EQ); 594 if ($$ == 0) YYABORT; } 595 | TARGET ROLE { if (insert_separator(1)) YYABORT; } names_push 596 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), CEXPR_EQ); 597 if ($$ == 0) YYABORT; } 598 | ROLE role_mls_op 599 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2); 600 if ($$ == 0) YYABORT; } 601 | SOURCE TYPE { if (insert_separator(1)) YYABORT; } names_push 602 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, CEXPR_EQ); 603 if ($$ == 0) YYABORT; } 604 | TARGET TYPE { if (insert_separator(1)) YYABORT; } names_push 605 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), CEXPR_EQ); 606 if ($$ == 0) YYABORT; } 607 | L1 role_mls_op L2 608 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1L2, $2); 609 if ($$ == 0) YYABORT; } 610 | L1 role_mls_op H2 611 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H2, $2); 612 if ($$ == 0) YYABORT; } 613 | H1 role_mls_op L2 614 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1L2, $2); 615 if ($$ == 0) YYABORT; } 616 | H1 role_mls_op H2 617 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1H2, $2); 618 if ($$ == 0) YYABORT; } 619 | L1 role_mls_op H1 620 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H1, $2); 621 if ($$ == 0) YYABORT; } 622 | L2 role_mls_op H2 623 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L2H2, $2); 624 if ($$ == 0) YYABORT; } 625 ; 626 op : EQUALS 627 { $$ = CEXPR_EQ; } 628 | NOTEQUAL 629 { $$ = CEXPR_NEQ; } 630 ; 631 role_mls_op : op 632 { $$ = $1; } 633 | DOM 634 { $$ = CEXPR_DOM; } 635 | DOMBY 636 { $$ = CEXPR_DOMBY; } 637 | INCOMP 638 { $$ = CEXPR_INCOMP; } 639 ; 640 users : user_def 641 | users user_def 642 ; 643 user_def : USER identifier ROLES names opt_mls_user ';' 644 {if (define_user()) YYABORT;} 645 ; 646 opt_mls_user : LEVEL mls_level_def RANGE mls_range_def 647 | 648 ; 649 initial_sid_contexts : initial_sid_context_def 650 | initial_sid_contexts initial_sid_context_def 651 ; 652 initial_sid_context_def : SID identifier security_context_def 653 {if (define_initial_sid_context()) YYABORT;} 654 ; 655 opt_dev_contexts : dev_contexts | 656 ; 657 dev_contexts : dev_context_def 658 | dev_contexts dev_context_def 659 ; 660 dev_context_def : pirq_context_def | 661 iomem_context_def | 662 ioport_context_def | 663 pci_context_def | 664 dtree_context_def 665 ; 666 pirq_context_def : PIRQCON number security_context_def 667 {if (define_pirq_context($2)) YYABORT;} 668 ; 669 iomem_context_def : IOMEMCON number64 security_context_def 670 {if (define_iomem_context($2,$2)) YYABORT;} 671 | IOMEMCON number64 '-' number64 security_context_def 672 {if (define_iomem_context($2,$4)) YYABORT;} 673 ; 674 ioport_context_def : IOPORTCON number security_context_def 675 {if (define_ioport_context($2,$2)) YYABORT;} 676 | IOPORTCON number '-' number security_context_def 677 {if (define_ioport_context($2,$4)) YYABORT;} 678 ; 679 pci_context_def : PCIDEVICECON number security_context_def 680 {if (define_pcidevice_context($2)) YYABORT;} 681 ; 682 dtree_context_def : DEVICETREECON path security_context_def 683 {if (define_devicetree_context()) YYABORT;} 684 ; 685 opt_fs_contexts : fs_contexts 686 | 687 ; 688 fs_contexts : fs_context_def 689 | fs_contexts fs_context_def 690 ; 691 fs_context_def : FSCON number number security_context_def security_context_def 692 {if (define_fs_context($2,$3)) YYABORT;} 693 ; 694 net_contexts : opt_port_contexts opt_netif_contexts opt_node_contexts 695 ; 696 opt_port_contexts : port_contexts 697 | 698 ; 699 port_contexts : port_context_def 700 | port_contexts port_context_def 701 ; 702 port_context_def : PORTCON identifier number security_context_def 703 {if (define_port_context($3,$3)) YYABORT;} 704 | PORTCON identifier number '-' number security_context_def 705 {if (define_port_context($3,$5)) YYABORT;} 706 ; 707 opt_ibpkey_contexts : ibpkey_contexts 708 | 709 ; 710 ibpkey_contexts : ibpkey_context_def 711 | ibpkey_contexts ibpkey_context_def 712 ; 713 ibpkey_context_def : IBPKEYCON ipv6_addr number security_context_def 714 {if (define_ibpkey_context($3,$3)) YYABORT;} 715 | IBPKEYCON ipv6_addr number '-' number security_context_def 716 {if (define_ibpkey_context($3,$5)) YYABORT;} 717 ; 718 opt_ibendport_contexts : ibendport_contexts 719 | 720 ; 721 ibendport_contexts : ibendport_context_def 722 | ibendport_contexts ibendport_context_def 723 ; 724 ibendport_context_def : IBENDPORTCON identifier number security_context_def 725 {if (define_ibendport_context($3)) YYABORT;} 726 ; 727 opt_netif_contexts : netif_contexts 728 | 729 ; 730 netif_contexts : netif_context_def 731 | netif_contexts netif_context_def 732 ; 733 netif_context_def : NETIFCON identifier security_context_def security_context_def 734 {if (define_netif_context()) YYABORT;} 735 ; 736 opt_node_contexts : node_contexts 737 | 738 ; 739 node_contexts : node_context_def 740 | node_contexts node_context_def 741 ; 742 node_context_def : NODECON ipv4_addr_def ipv4_addr_def security_context_def 743 {if (define_ipv4_node_context()) YYABORT;} 744 | NODECON ipv4_cidr_def security_context_def 745 {if (define_ipv4_cidr_node_context()) YYABORT;} 746 | NODECON ipv6_addr ipv6_addr security_context_def 747 {if (define_ipv6_node_context()) YYABORT;} 748 | NODECON ipv6_cidr security_context_def 749 {if (define_ipv6_cidr_node_context()) YYABORT;} 750 ; 751 opt_fs_uses : fs_uses 752 | 753 ; 754 fs_uses : fs_use_def 755 | fs_uses fs_use_def 756 ; 757 fs_use_def : FSUSEXATTR filesystem security_context_def ';' 758 {if (define_fs_use(SECURITY_FS_USE_XATTR)) YYABORT;} 759 | FSUSETASK identifier security_context_def ';' 760 {if (define_fs_use(SECURITY_FS_USE_TASK)) YYABORT;} 761 | FSUSETRANS identifier security_context_def ';' 762 {if (define_fs_use(SECURITY_FS_USE_TRANS)) YYABORT;} 763 ; 764 opt_genfs_contexts : genfs_contexts 765 | 766 ; 767 genfs_contexts : genfs_context_def 768 | genfs_contexts genfs_context_def 769 ; 770 genfs_context_def : GENFSCON filesystem path '-' identifier security_context_def 771 {if (define_genfs_context(1)) YYABORT;} 772 | GENFSCON filesystem path '-' '-' {insert_id("-", 0);} security_context_def 773 {if (define_genfs_context(1)) YYABORT;} 774 | GENFSCON filesystem path security_context_def 775 {if (define_genfs_context(0)) YYABORT;} 776 ; 777 ipv4_addr_def : IPV4_ADDR 778 { if (insert_id(yytext,0)) YYABORT; } 779 ; 780 ipv4_cidr_def : IPV4_CIDR 781 { if (insert_id(yytext,0)) YYABORT; } 782 ; 783 xperms : xperm 784 { if (insert_separator(0)) YYABORT; } 785 | nested_xperm_set 786 { if (insert_separator(0)) YYABORT; } 787 | tilde xperm 788 { if (insert_id("~", 0)) YYABORT; } 789 | tilde nested_xperm_set 790 { if (insert_id("~", 0)) YYABORT; 791 if (insert_separator(0)) YYABORT; } 792 ; 793 nested_xperm_set : '{' nested_xperm_list '}' 794 ; 795 nested_xperm_list : nested_xperm_element 796 | nested_xperm_list nested_xperm_element 797 ; 798 nested_xperm_element: xperm '-' { if (insert_id("-", 0)) YYABORT; } xperm 799 | xperm 800 | nested_xperm_set 801 ; 802 xperm : number 803 { if (insert_id(yytext,0)) YYABORT; } 804 ; 805 security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def 806 ; 807 opt_mls_range_def : ':' mls_range_def 808 | 809 ; 810 mls_range_def : mls_level_def '-' mls_level_def 811 {if (insert_separator(0)) YYABORT;} 812 | mls_level_def 813 {if (insert_separator(0)) YYABORT;} 814 ; 815 mls_level_def : identifier ':' id_comma_list 816 {if (insert_separator(0)) YYABORT;} 817 | identifier 818 {if (insert_separator(0)) YYABORT;} 819 ; 820 id_comma_list : identifier 821 | id_comma_list ',' identifier 822 ; 823 tilde : '~' 824 ; 825 asterisk : '*' 826 ; 827 names : identifier 828 { if (insert_separator(0)) YYABORT; } 829 | nested_id_set 830 { if (insert_separator(0)) YYABORT; } 831 | asterisk 832 { if (insert_id("*", 0)) YYABORT; 833 if (insert_separator(0)) YYABORT; } 834 | tilde identifier 835 { if (insert_id("~", 0)) YYABORT; 836 if (insert_separator(0)) YYABORT; } 837 | tilde nested_id_set 838 { if (insert_id("~", 0)) YYABORT; 839 if (insert_separator(0)) YYABORT; } 840 | identifier '-' { if (insert_id("-", 0)) YYABORT; } identifier 841 { if (insert_separator(0)) YYABORT; } 842 ; 843 tilde_push : tilde 844 { if (insert_id("~", 1)) YYABORT; } 845 ; 846 asterisk_push : asterisk 847 { if (insert_id("*", 1)) YYABORT; } 848 ; 849 names_push : identifier_push 850 | '{' identifier_list_push '}' 851 | asterisk_push 852 | tilde_push identifier_push 853 | tilde_push '{' identifier_list_push '}' 854 ; 855 identifier_list_push : identifier_push 856 | identifier_list_push identifier_push 857 ; 858 identifier_push : IDENTIFIER 859 { if (insert_id(yytext, 1)) YYABORT; } 860 ; 861 identifier_list : identifier 862 | identifier_list identifier 863 ; 864 nested_id_set : '{' nested_id_list '}' 865 ; 866 nested_id_list : nested_id_element | nested_id_list nested_id_element 867 ; 868 nested_id_element : identifier | '-' { if (insert_id("-", 0)) YYABORT; } identifier | nested_id_set 869 ; 870 identifier : IDENTIFIER 871 { if (insert_id(yytext,0)) YYABORT; } 872 ; 873 filesystem : FILESYSTEM 874 { if (insert_id(yytext,0)) YYABORT; } 875 | IDENTIFIER 876 { if (insert_id(yytext,0)) YYABORT; } 877 ; 878 path : PATH 879 { if (insert_id(yytext,0)) YYABORT; } 880 | QPATH 881 { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) YYABORT; } 882 ; 883 filename : FILENAME 884 { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) YYABORT; } 885 ; 886 number : NUMBER 887 { unsigned long x; 888 errno = 0; 889 x = strtoul(yytext, NULL, 0); 890 if (errno) 891 YYABORT; 892 #if ULONG_MAX > UINT_MAX 893 if (x > UINT_MAX) 894 YYABORT; 895 #endif 896 $$ = (unsigned int) x; 897 } 898 ; 899 number64 : NUMBER 900 { unsigned long long x; 901 errno = 0; 902 x = strtoull(yytext, NULL, 0); 903 if (errno) 904 YYABORT; 905 $$ = (uint64_t) x; 906 } 907 ; 908 ipv6_addr : IPV6_ADDR 909 { if (insert_id(yytext,0)) YYABORT; } 910 ; 911 ipv6_cidr : IPV6_CIDR 912 { if (insert_id(yytext,0)) YYABORT; } 913 ; 914 policycap_def : POLICYCAP identifier ';' 915 {if (define_polcap()) YYABORT;} 916 ; 917 permissive_def : PERMISSIVE identifier ';' 918 {if (define_permissive()) YYABORT;} 919 920 /*********** module grammar below ***********/ 921 922 module_policy : module_def avrules_block 923 { if (end_avrule_block(pass) == -1) YYABORT; 924 if (policydb_index_others(NULL, policydbp, 0)) YYABORT; 925 } 926 ; 927 module_def : MODULE identifier version_identifier ';' 928 { if (define_policy(pass, 1) == -1) YYABORT; } 929 ; 930 version_identifier : VERSION_IDENTIFIER 931 { if (insert_id(yytext,0)) YYABORT; } 932 | number 933 { if (insert_id(yytext,0)) YYABORT; } 934 | ipv4_addr_def /* version can look like ipv4 address */ 935 ; 936 avrules_block : avrule_decls avrule_user_defs 937 ; 938 avrule_decls : avrule_decls avrule_decl 939 | avrule_decl 940 ; 941 avrule_decl : rbac_decl 942 | te_decl 943 | cond_stmt_def 944 | require_block 945 | optional_block 946 | ';' 947 ; 948 require_block : REQUIRE '{' require_list '}' 949 ; 950 require_list : require_list require_decl 951 | require_decl 952 ; 953 require_decl : require_class ';' 954 | require_decl_def require_id_list ';' 955 ; 956 require_class : CLASS identifier names 957 { if (require_class(pass)) YYABORT; } 958 ; 959 require_decl_def : ROLE { $$ = require_role; } 960 | TYPE { $$ = require_type; } 961 | ATTRIBUTE { $$ = require_attribute; } 962 | ATTRIBUTE_ROLE { $$ = require_attribute_role; } 963 | USER { $$ = require_user; } 964 | BOOL { $$ = require_bool; } 965 | TUNABLE { $$ = require_tunable; } 966 | SENSITIVITY { $$ = require_sens; } 967 | CATEGORY { $$ = require_cat; } 968 ; 969 require_id_list : identifier 970 { if ($<require_func>0 (pass)) YYABORT; } 971 | require_id_list ',' identifier 972 { if ($<require_func>0 (pass)) YYABORT; } 973 ; 974 optional_block : optional_decl '{' avrules_block '}' 975 { if (end_avrule_block(pass) == -1) YYABORT; } 976 optional_else 977 { if (end_optional(pass) == -1) YYABORT; } 978 ; 979 optional_else : else_decl '{' avrules_block '}' 980 { if (end_avrule_block(pass) == -1) YYABORT; } 981 | /* empty */ 982 ; 983 optional_decl : OPTIONAL 984 { if (begin_optional(pass) == -1) YYABORT; } 985 ; 986 else_decl : ELSE 987 { if (begin_optional_else(pass) == -1) YYABORT; } 988 ; 989 avrule_user_defs : user_def avrule_user_defs 990 | /* empty */ 991 ; 992