1 2 /* 3 * Author : Stephen Smalley, <sds@epoch.ncsc.mil> 4 */ 5 6 /* 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * 9 * Support for enhanced MLS infrastructure. 10 * 11 * Updated: David Caplan, <dac@tresys.com> 12 * 13 * Added conditional policy language extensions 14 * 15 * Updated: Joshua Brindle <jbrindle@tresys.com> 16 * Karl MacMillan <kmacmillan@mentalrootkit.com> 17 * Jason Tang <jtang@tresys.com> 18 * 19 * Added support for binary policy modules 20 * 21 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 22 * Copyright (C) 2003 - 2008 Tresys Technology, LLC 23 * Copyright (C) 2007 Red Hat Inc. 24 * This program is free software; you can redistribute it and/or modify 25 * it under the terms of the GNU General Public License as published by 26 * the Free Software Foundation, version 2. 27 */ 28 29 /* FLASK */ 30 31 %{ 32 #include <sys/types.h> 33 #include <assert.h> 34 #include <stdarg.h> 35 #include <stdint.h> 36 #include <stdio.h> 37 #include <stdlib.h> 38 #include <string.h> 39 #include <sys/socket.h> 40 #include <netinet/in.h> 41 #include <arpa/inet.h> 42 #include <stdlib.h> 43 44 #include <sepol/policydb/expand.h> 45 #include <sepol/policydb/policydb.h> 46 #include <sepol/policydb/services.h> 47 #include <sepol/policydb/conditional.h> 48 #include <sepol/policydb/flask.h> 49 #include <sepol/policydb/hierarchy.h> 50 #include <sepol/policydb/polcaps.h> 51 #include "queue.h" 52 #include "checkpolicy.h" 53 #include "module_compiler.h" 54 #include "policy_define.h" 55 56 extern policydb_t *policydbp; 57 extern unsigned int pass; 58 59 extern char yytext[]; 60 extern int yylex(void); 61 extern int yywarn(char *msg); 62 extern int yyerror(char *msg); 63 64 typedef int (* require_func_t)(); 65 66 %} 67 68 %union { 69 unsigned int val; 70 uintptr_t valptr; 71 void *ptr; 72 require_func_t require_func; 73 } 74 75 %type <ptr> cond_expr cond_expr_prim cond_pol_list cond_else 76 %type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def 77 %type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def 78 %type <ptr> role_def roles 79 %type <valptr> cexpr cexpr_prim op role_mls_op 80 %type <val> ipv4_addr_def number 81 %type <require_func> require_decl_def 82 83 %token PATH 84 %token FILENAME 85 %token CLONE 86 %token COMMON 87 %token CLASS 88 %token CONSTRAIN 89 %token VALIDATETRANS 90 %token INHERITS 91 %token SID 92 %token ROLE 93 %token ROLEATTRIBUTE 94 %token ATTRIBUTE_ROLE 95 %token ROLES 96 %token TYPEALIAS 97 %token TYPEATTRIBUTE 98 %token TYPEBOUNDS 99 %token TYPE 100 %token TYPES 101 %token ALIAS 102 %token ATTRIBUTE 103 %token BOOL 104 %token TUNABLE 105 %token IF 106 %token ELSE 107 %token TYPE_TRANSITION 108 %token TYPE_MEMBER 109 %token TYPE_CHANGE 110 %token ROLE_TRANSITION 111 %token RANGE_TRANSITION 112 %token SENSITIVITY 113 %token DOMINANCE 114 %token DOM DOMBY INCOMP 115 %token CATEGORY 116 %token LEVEL 117 %token RANGE 118 %token MLSCONSTRAIN 119 %token MLSVALIDATETRANS 120 %token USER 121 %token NEVERALLOW 122 %token ALLOW 123 %token AUDITALLOW 124 %token AUDITDENY 125 %token DONTAUDIT 126 %token SOURCE 127 %token TARGET 128 %token SAMEUSER 129 %token FSCON PORTCON NETIFCON NODECON 130 %token PIRQCON IOMEMCON IOPORTCON PCIDEVICECON 131 %token FSUSEXATTR FSUSETASK FSUSETRANS 132 %token GENFSCON 133 %token U1 U2 U3 R1 R2 R3 T1 T2 T3 L1 L2 H1 H2 134 %token NOT AND OR XOR 135 %token CTRUE CFALSE 136 %token IDENTIFIER 137 %token NUMBER 138 %token EQUALS 139 %token NOTEQUAL 140 %token IPV4_ADDR 141 %token IPV6_ADDR 142 %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL 143 %token POLICYCAP 144 %token PERMISSIVE 145 %token FILESYSTEM 146 %token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE 147 %token LOW_HIGH LOW HIGH 148 149 %left OR 150 %left XOR 151 %left AND 152 %right NOT 153 %left EQUALS NOTEQUAL 154 %% 155 policy : base_policy 156 | module_policy 157 ; 158 base_policy : { if (define_policy(pass, 0) == -1) return -1; } 159 classes initial_sids access_vectors 160 { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; } 161 else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }} 162 opt_default_rules opt_mls te_rbac users opt_constraints 163 { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;} 164 else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}} 165 initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts 166 ; 167 classes : class_def 168 | classes class_def 169 ; 170 class_def : CLASS identifier 171 {if (define_class()) return -1;} 172 ; 173 initial_sids : initial_sid_def 174 | initial_sids initial_sid_def 175 ; 176 initial_sid_def : SID identifier 177 {if (define_initial_sid()) return -1;} 178 ; 179 access_vectors : opt_common_perms av_perms 180 ; 181 opt_common_perms : common_perms 182 | 183 ; 184 common_perms : common_perms_def 185 | common_perms common_perms_def 186 ; 187 common_perms_def : COMMON identifier '{' identifier_list '}' 188 {if (define_common_perms()) return -1;} 189 ; 190 av_perms : av_perms_def 191 | av_perms av_perms_def 192 ; 193 av_perms_def : CLASS identifier '{' identifier_list '}' 194 {if (define_av_perms(FALSE)) return -1;} 195 | CLASS identifier INHERITS identifier 196 {if (define_av_perms(TRUE)) return -1;} 197 | CLASS identifier INHERITS identifier '{' identifier_list '}' 198 {if (define_av_perms(TRUE)) return -1;} 199 ; 200 opt_default_rules : default_rules 201 | 202 ; 203 default_rules : default_user_def 204 | default_role_def 205 | default_range_def 206 | default_rules default_user_def 207 | default_rules default_role_def 208 | default_rules default_range_def 209 ; 210 default_user_def : DEFAULT_USER names SOURCE ';' 211 {if (define_default_user(DEFAULT_SOURCE)) return -1; } 212 | DEFAULT_USER names TARGET ';' 213 {if (define_default_user(DEFAULT_TARGET)) return -1; } 214 ; 215 default_role_def : DEFAULT_ROLE names SOURCE ';' 216 {if (define_default_role(DEFAULT_SOURCE)) return -1; } 217 | DEFAULT_ROLE names TARGET ';' 218 {if (define_default_role(DEFAULT_TARGET)) return -1; } 219 ; 220 default_range_def : DEFAULT_RANGE names SOURCE LOW ';' 221 {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; } 222 | DEFAULT_RANGE names SOURCE HIGH ';' 223 {if (define_default_range(DEFAULT_SOURCE_HIGH)) return -1; } 224 | DEFAULT_RANGE names SOURCE LOW_HIGH ';' 225 {if (define_default_range(DEFAULT_SOURCE_LOW_HIGH)) return -1; } 226 | DEFAULT_RANGE names TARGET LOW ';' 227 {if (define_default_range(DEFAULT_TARGET_LOW)) return -1; } 228 | DEFAULT_RANGE names TARGET HIGH ';' 229 {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; } 230 | DEFAULT_RANGE names TARGET LOW_HIGH ';' 231 {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; } 232 ; 233 opt_mls : mls 234 | 235 ; 236 mls : sensitivities dominance opt_categories levels mlspolicy 237 ; 238 sensitivities : sensitivity_def 239 | sensitivities sensitivity_def 240 ; 241 sensitivity_def : SENSITIVITY identifier alias_def ';' 242 {if (define_sens()) return -1;} 243 | SENSITIVITY identifier ';' 244 {if (define_sens()) return -1;} 245 ; 246 alias_def : ALIAS names 247 ; 248 dominance : DOMINANCE identifier 249 {if (define_dominance()) return -1;} 250 | DOMINANCE '{' identifier_list '}' 251 {if (define_dominance()) return -1;} 252 ; 253 opt_categories : categories 254 | 255 ; 256 categories : category_def 257 | categories category_def 258 ; 259 category_def : CATEGORY identifier alias_def ';' 260 {if (define_category()) return -1;} 261 | CATEGORY identifier ';' 262 {if (define_category()) return -1;} 263 ; 264 levels : level_def 265 | levels level_def 266 ; 267 level_def : LEVEL identifier ':' id_comma_list ';' 268 {if (define_level()) return -1;} 269 | LEVEL identifier ';' 270 {if (define_level()) return -1;} 271 ; 272 mlspolicy : mlspolicy_decl 273 | mlspolicy mlspolicy_decl 274 ; 275 mlspolicy_decl : mlsconstraint_def 276 | mlsvalidatetrans_def 277 ; 278 mlsconstraint_def : MLSCONSTRAIN names names cexpr ';' 279 { if (define_constraint((constraint_expr_t*)$4)) return -1; } 280 ; 281 mlsvalidatetrans_def : MLSVALIDATETRANS names cexpr ';' 282 { if (define_validatetrans((constraint_expr_t*)$3)) return -1; } 283 ; 284 te_rbac : te_rbac_decl 285 | te_rbac te_rbac_decl 286 ; 287 te_rbac_decl : te_decl 288 | rbac_decl 289 | cond_stmt_def 290 | optional_block 291 | policycap_def 292 | ';' 293 ; 294 rbac_decl : attribute_role_def 295 | role_type_def 296 | role_dominance 297 | role_trans_def 298 | role_allow_def 299 | roleattribute_def 300 | role_attr_def 301 ; 302 te_decl : attribute_def 303 | type_def 304 | typealias_def 305 | typeattribute_def 306 | typebounds_def 307 | bool_def 308 | tunable_def 309 | transition_def 310 | range_trans_def 311 | te_avtab_def 312 | permissive_def 313 ; 314 attribute_def : ATTRIBUTE identifier ';' 315 { if (define_attrib()) return -1;} 316 ; 317 type_def : TYPE identifier alias_def opt_attr_list ';' 318 {if (define_type(1)) return -1;} 319 | TYPE identifier opt_attr_list ';' 320 {if (define_type(0)) return -1;} 321 ; 322 typealias_def : TYPEALIAS identifier alias_def ';' 323 {if (define_typealias()) return -1;} 324 ; 325 typeattribute_def : TYPEATTRIBUTE identifier id_comma_list ';' 326 {if (define_typeattribute()) return -1;} 327 ; 328 typebounds_def : TYPEBOUNDS identifier id_comma_list ';' 329 {if (define_typebounds()) return -1;} 330 ; 331 opt_attr_list : ',' id_comma_list 332 | 333 ; 334 bool_def : BOOL identifier bool_val ';' 335 { if (define_bool_tunable(0)) return -1; } 336 ; 337 tunable_def : TUNABLE identifier bool_val ';' 338 { if (define_bool_tunable(1)) return -1; } 339 ; 340 bool_val : CTRUE 341 { if (insert_id("T",0)) return -1; } 342 | CFALSE 343 { if (insert_id("F",0)) return -1; } 344 ; 345 cond_stmt_def : IF cond_expr '{' cond_pol_list '}' cond_else 346 { if (pass == 2) { if (define_conditional((cond_expr_t*)$2, (avrule_t*)$4, (avrule_t*)$6) < 0) return -1; }} 347 ; 348 cond_else : ELSE '{' cond_pol_list '}' 349 { $$ = $3; } 350 | /* empty */ 351 { $$ = NULL; } 352 cond_expr : '(' cond_expr ')' 353 { $$ = $2;} 354 | NOT cond_expr 355 { $$ = define_cond_expr(COND_NOT, $2, 0); 356 if ($$ == 0) return -1; } 357 | cond_expr AND cond_expr 358 { $$ = define_cond_expr(COND_AND, $1, $3); 359 if ($$ == 0) return -1; } 360 | cond_expr OR cond_expr 361 { $$ = define_cond_expr(COND_OR, $1, $3); 362 if ($$ == 0) return -1; } 363 | cond_expr XOR cond_expr 364 { $$ = define_cond_expr(COND_XOR, $1, $3); 365 if ($$ == 0) return -1; } 366 | cond_expr EQUALS cond_expr 367 { $$ = define_cond_expr(COND_EQ, $1, $3); 368 if ($$ == 0) return -1; } 369 | cond_expr NOTEQUAL cond_expr 370 { $$ = define_cond_expr(COND_NEQ, $1, $3); 371 if ($$ == 0) return -1; } 372 | cond_expr_prim 373 { $$ = $1; } 374 ; 375 cond_expr_prim : identifier 376 { $$ = define_cond_expr(COND_BOOL,0, 0); 377 if ($$ == COND_ERR) return -1; } 378 ; 379 cond_pol_list : cond_pol_list cond_rule_def 380 { $$ = define_cond_pol_list((avrule_t *)$1, (avrule_t *)$2); } 381 | /* empty */ 382 { $$ = NULL; } 383 ; 384 cond_rule_def : cond_transition_def 385 { $$ = $1; } 386 | cond_te_avtab_def 387 { $$ = $1; } 388 | require_block 389 { $$ = NULL; } 390 ; 391 cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' 392 { $$ = define_cond_filename_trans() ; 393 if ($$ == COND_ERR) return -1;} 394 | TYPE_TRANSITION names names ':' names identifier ';' 395 { $$ = define_cond_compute_type(AVRULE_TRANSITION) ; 396 if ($$ == COND_ERR) return -1;} 397 | TYPE_MEMBER names names ':' names identifier ';' 398 { $$ = define_cond_compute_type(AVRULE_MEMBER) ; 399 if ($$ == COND_ERR) return -1;} 400 | TYPE_CHANGE names names ':' names identifier ';' 401 { $$ = define_cond_compute_type(AVRULE_CHANGE) ; 402 if ($$ == COND_ERR) return -1;} 403 ; 404 cond_te_avtab_def : cond_allow_def 405 { $$ = $1; } 406 | cond_auditallow_def 407 { $$ = $1; } 408 | cond_auditdeny_def 409 { $$ = $1; } 410 | cond_dontaudit_def 411 { $$ = $1; } 412 ; 413 cond_allow_def : ALLOW names names ':' names names ';' 414 { $$ = define_cond_te_avtab(AVRULE_ALLOWED) ; 415 if ($$ == COND_ERR) return -1; } 416 ; 417 cond_auditallow_def : AUDITALLOW names names ':' names names ';' 418 { $$ = define_cond_te_avtab(AVRULE_AUDITALLOW) ; 419 if ($$ == COND_ERR) return -1; } 420 ; 421 cond_auditdeny_def : AUDITDENY names names ':' names names ';' 422 { $$ = define_cond_te_avtab(AVRULE_AUDITDENY) ; 423 if ($$ == COND_ERR) return -1; } 424 ; 425 cond_dontaudit_def : DONTAUDIT names names ':' names names ';' 426 { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT); 427 if ($$ == COND_ERR) return -1; } 428 ; 429 ; 430 transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' 431 {if (define_filename_trans()) return -1; } 432 | TYPE_TRANSITION names names ':' names identifier ';' 433 {if (define_compute_type(AVRULE_TRANSITION)) return -1;} 434 | TYPE_MEMBER names names ':' names identifier ';' 435 {if (define_compute_type(AVRULE_MEMBER)) return -1;} 436 | TYPE_CHANGE names names ':' names identifier ';' 437 {if (define_compute_type(AVRULE_CHANGE)) return -1;} 438 ; 439 range_trans_def : RANGE_TRANSITION names names mls_range_def ';' 440 { if (define_range_trans(0)) return -1; } 441 | RANGE_TRANSITION names names ':' names mls_range_def ';' 442 { if (define_range_trans(1)) return -1; } 443 ; 444 te_avtab_def : allow_def 445 | auditallow_def 446 | auditdeny_def 447 | dontaudit_def 448 | neverallow_def 449 ; 450 allow_def : ALLOW names names ':' names names ';' 451 {if (define_te_avtab(AVRULE_ALLOWED)) return -1; } 452 ; 453 auditallow_def : AUDITALLOW names names ':' names names ';' 454 {if (define_te_avtab(AVRULE_AUDITALLOW)) return -1; } 455 ; 456 auditdeny_def : AUDITDENY names names ':' names names ';' 457 {if (define_te_avtab(AVRULE_AUDITDENY)) return -1; } 458 ; 459 dontaudit_def : DONTAUDIT names names ':' names names ';' 460 {if (define_te_avtab(AVRULE_DONTAUDIT)) return -1; } 461 ; 462 neverallow_def : NEVERALLOW names names ':' names names ';' 463 {if (define_te_avtab(AVRULE_NEVERALLOW)) return -1; } 464 ; 465 attribute_role_def : ATTRIBUTE_ROLE identifier ';' 466 {if (define_attrib_role()) return -1; } 467 ; 468 role_type_def : ROLE identifier TYPES names ';' 469 {if (define_role_types()) return -1;} 470 ; 471 role_attr_def : ROLE identifier opt_attr_list ';' 472 {if (define_role_attr()) return -1;} 473 ; 474 role_dominance : DOMINANCE '{' roles '}' 475 ; 476 role_trans_def : ROLE_TRANSITION names names identifier ';' 477 {if (define_role_trans(0)) return -1; } 478 | ROLE_TRANSITION names names ':' names identifier ';' 479 {if (define_role_trans(1)) return -1;} 480 ; 481 role_allow_def : ALLOW names names ';' 482 {if (define_role_allow()) return -1; } 483 ; 484 roles : role_def 485 { $$ = $1; } 486 | roles role_def 487 { $$ = merge_roles_dom((role_datum_t*)$1, (role_datum_t*)$2); if ($$ == 0) return -1;} 488 ; 489 role_def : ROLE identifier_push ';' 490 {$$ = define_role_dom(NULL); if ($$ == 0) return -1;} 491 | ROLE identifier_push '{' roles '}' 492 {$$ = define_role_dom((role_datum_t*)$4); if ($$ == 0) return -1;} 493 ; 494 roleattribute_def : ROLEATTRIBUTE identifier id_comma_list ';' 495 {if (define_roleattribute()) return -1;} 496 ; 497 opt_constraints : constraints 498 | 499 ; 500 constraints : constraint_decl 501 | constraints constraint_decl 502 ; 503 constraint_decl : constraint_def 504 | validatetrans_def 505 ; 506 constraint_def : CONSTRAIN names names cexpr ';' 507 { if (define_constraint((constraint_expr_t*)$4)) return -1; } 508 ; 509 validatetrans_def : VALIDATETRANS names cexpr ';' 510 { if (define_validatetrans((constraint_expr_t*)$3)) return -1; } 511 ; 512 cexpr : '(' cexpr ')' 513 { $$ = $2; } 514 | NOT cexpr 515 { $$ = define_cexpr(CEXPR_NOT, $2, 0); 516 if ($$ == 0) return -1; } 517 | cexpr AND cexpr 518 { $$ = define_cexpr(CEXPR_AND, $1, $3); 519 if ($$ == 0) return -1; } 520 | cexpr OR cexpr 521 { $$ = define_cexpr(CEXPR_OR, $1, $3); 522 if ($$ == 0) return -1; } 523 | cexpr_prim 524 { $$ = $1; } 525 ; 526 cexpr_prim : U1 op U2 527 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, $2); 528 if ($$ == 0) return -1; } 529 | R1 role_mls_op R2 530 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2); 531 if ($$ == 0) return -1; } 532 | T1 op T2 533 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2); 534 if ($$ == 0) return -1; } 535 | U1 op { if (insert_separator(1)) return -1; } names_push 536 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2); 537 if ($$ == 0) return -1; } 538 | U2 op { if (insert_separator(1)) return -1; } names_push 539 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2); 540 if ($$ == 0) return -1; } 541 | U3 op { if (insert_separator(1)) return -1; } names_push 542 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2); 543 if ($$ == 0) return -1; } 544 | R1 op { if (insert_separator(1)) return -1; } names_push 545 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, $2); 546 if ($$ == 0) return -1; } 547 | R2 op { if (insert_separator(1)) return -1; } names_push 548 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), $2); 549 if ($$ == 0) return -1; } 550 | R3 op { if (insert_separator(1)) return -1; } names_push 551 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_XTARGET), $2); 552 if ($$ == 0) return -1; } 553 | T1 op { if (insert_separator(1)) return -1; } names_push 554 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, $2); 555 if ($$ == 0) return -1; } 556 | T2 op { if (insert_separator(1)) return -1; } names_push 557 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), $2); 558 if ($$ == 0) return -1; } 559 | T3 op { if (insert_separator(1)) return -1; } names_push 560 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_XTARGET), $2); 561 if ($$ == 0) return -1; } 562 | SAMEUSER 563 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, CEXPR_EQ); 564 if ($$ == 0) return -1; } 565 | SOURCE ROLE { if (insert_separator(1)) return -1; } names_push 566 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, CEXPR_EQ); 567 if ($$ == 0) return -1; } 568 | TARGET ROLE { if (insert_separator(1)) return -1; } names_push 569 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), CEXPR_EQ); 570 if ($$ == 0) return -1; } 571 | ROLE role_mls_op 572 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2); 573 if ($$ == 0) return -1; } 574 | SOURCE TYPE { if (insert_separator(1)) return -1; } names_push 575 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, CEXPR_EQ); 576 if ($$ == 0) return -1; } 577 | TARGET TYPE { if (insert_separator(1)) return -1; } names_push 578 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), CEXPR_EQ); 579 if ($$ == 0) return -1; } 580 | L1 role_mls_op L2 581 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1L2, $2); 582 if ($$ == 0) return -1; } 583 | L1 role_mls_op H2 584 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H2, $2); 585 if ($$ == 0) return -1; } 586 | H1 role_mls_op L2 587 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1L2, $2); 588 if ($$ == 0) return -1; } 589 | H1 role_mls_op H2 590 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1H2, $2); 591 if ($$ == 0) return -1; } 592 | L1 role_mls_op H1 593 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H1, $2); 594 if ($$ == 0) return -1; } 595 | L2 role_mls_op H2 596 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L2H2, $2); 597 if ($$ == 0) return -1; } 598 ; 599 op : EQUALS 600 { $$ = CEXPR_EQ; } 601 | NOTEQUAL 602 { $$ = CEXPR_NEQ; } 603 ; 604 role_mls_op : op 605 { $$ = $1; } 606 | DOM 607 { $$ = CEXPR_DOM; } 608 | DOMBY 609 { $$ = CEXPR_DOMBY; } 610 | INCOMP 611 { $$ = CEXPR_INCOMP; } 612 ; 613 users : user_def 614 | users user_def 615 ; 616 user_def : USER identifier ROLES names opt_mls_user ';' 617 {if (define_user()) return -1;} 618 ; 619 opt_mls_user : LEVEL mls_level_def RANGE mls_range_def 620 | 621 ; 622 initial_sid_contexts : initial_sid_context_def 623 | initial_sid_contexts initial_sid_context_def 624 ; 625 initial_sid_context_def : SID identifier security_context_def 626 {if (define_initial_sid_context()) return -1;} 627 ; 628 opt_dev_contexts : dev_contexts | 629 ; 630 dev_contexts : dev_context_def 631 | dev_contexts dev_context_def 632 ; 633 dev_context_def : pirq_context_def | 634 iomem_context_def | 635 ioport_context_def | 636 pci_context_def 637 ; 638 pirq_context_def : PIRQCON number security_context_def 639 {if (define_pirq_context($2)) return -1;} 640 ; 641 iomem_context_def : IOMEMCON number security_context_def 642 {if (define_iomem_context($2,$2)) return -1;} 643 | IOMEMCON number '-' number security_context_def 644 {if (define_iomem_context($2,$4)) return -1;} 645 ; 646 ioport_context_def : IOPORTCON number security_context_def 647 {if (define_ioport_context($2,$2)) return -1;} 648 | IOPORTCON number '-' number security_context_def 649 {if (define_ioport_context($2,$4)) return -1;} 650 ; 651 pci_context_def : PCIDEVICECON number security_context_def 652 {if (define_pcidevice_context($2)) return -1;} 653 ; 654 opt_fs_contexts : fs_contexts 655 | 656 ; 657 fs_contexts : fs_context_def 658 | fs_contexts fs_context_def 659 ; 660 fs_context_def : FSCON number number security_context_def security_context_def 661 {if (define_fs_context($2,$3)) return -1;} 662 ; 663 net_contexts : opt_port_contexts opt_netif_contexts opt_node_contexts 664 ; 665 opt_port_contexts : port_contexts 666 | 667 ; 668 port_contexts : port_context_def 669 | port_contexts port_context_def 670 ; 671 port_context_def : PORTCON identifier number security_context_def 672 {if (define_port_context($3,$3)) return -1;} 673 | PORTCON identifier number '-' number security_context_def 674 {if (define_port_context($3,$5)) return -1;} 675 ; 676 opt_netif_contexts : netif_contexts 677 | 678 ; 679 netif_contexts : netif_context_def 680 | netif_contexts netif_context_def 681 ; 682 netif_context_def : NETIFCON identifier security_context_def security_context_def 683 {if (define_netif_context()) return -1;} 684 ; 685 opt_node_contexts : node_contexts 686 | 687 ; 688 node_contexts : node_context_def 689 | node_contexts node_context_def 690 ; 691 node_context_def : NODECON ipv4_addr_def ipv4_addr_def security_context_def 692 {if (define_ipv4_node_context()) return -1;} 693 | NODECON ipv6_addr ipv6_addr security_context_def 694 {if (define_ipv6_node_context()) return -1;} 695 ; 696 opt_fs_uses : fs_uses 697 | 698 ; 699 fs_uses : fs_use_def 700 | fs_uses fs_use_def 701 ; 702 fs_use_def : FSUSEXATTR filesystem security_context_def ';' 703 {if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;} 704 | FSUSETASK identifier security_context_def ';' 705 {if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;} 706 | FSUSETRANS identifier security_context_def ';' 707 {if (define_fs_use(SECURITY_FS_USE_TRANS)) return -1;} 708 ; 709 opt_genfs_contexts : genfs_contexts 710 | 711 ; 712 genfs_contexts : genfs_context_def 713 | genfs_contexts genfs_context_def 714 ; 715 genfs_context_def : GENFSCON filesystem path '-' identifier security_context_def 716 {if (define_genfs_context(1)) return -1;} 717 | GENFSCON filesystem path '-' '-' {insert_id("-", 0);} security_context_def 718 {if (define_genfs_context(1)) return -1;} 719 | GENFSCON filesystem path security_context_def 720 {if (define_genfs_context(0)) return -1;} 721 ; 722 ipv4_addr_def : IPV4_ADDR 723 { if (insert_id(yytext,0)) return -1; } 724 ; 725 security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def 726 ; 727 opt_mls_range_def : ':' mls_range_def 728 | 729 ; 730 mls_range_def : mls_level_def '-' mls_level_def 731 {if (insert_separator(0)) return -1;} 732 | mls_level_def 733 {if (insert_separator(0)) return -1;} 734 ; 735 mls_level_def : identifier ':' id_comma_list 736 {if (insert_separator(0)) return -1;} 737 | identifier 738 {if (insert_separator(0)) return -1;} 739 ; 740 id_comma_list : identifier 741 | id_comma_list ',' identifier 742 ; 743 tilde : '~' 744 ; 745 asterisk : '*' 746 ; 747 names : identifier 748 { if (insert_separator(0)) return -1; } 749 | nested_id_set 750 { if (insert_separator(0)) return -1; } 751 | asterisk 752 { if (insert_id("*", 0)) return -1; 753 if (insert_separator(0)) return -1; } 754 | tilde identifier 755 { if (insert_id("~", 0)) return -1; 756 if (insert_separator(0)) return -1; } 757 | tilde nested_id_set 758 { if (insert_id("~", 0)) return -1; 759 if (insert_separator(0)) return -1; } 760 | identifier '-' { if (insert_id("-", 0)) return -1; } identifier 761 { if (insert_separator(0)) return -1; } 762 ; 763 tilde_push : tilde 764 { if (insert_id("~", 1)) return -1; } 765 ; 766 asterisk_push : asterisk 767 { if (insert_id("*", 1)) return -1; } 768 ; 769 names_push : identifier_push 770 | '{' identifier_list_push '}' 771 | asterisk_push 772 | tilde_push identifier_push 773 | tilde_push '{' identifier_list_push '}' 774 ; 775 identifier_list_push : identifier_push 776 | identifier_list_push identifier_push 777 ; 778 identifier_push : IDENTIFIER 779 { if (insert_id(yytext, 1)) return -1; } 780 ; 781 identifier_list : identifier 782 | identifier_list identifier 783 ; 784 nested_id_set : '{' nested_id_list '}' 785 ; 786 nested_id_list : nested_id_element | nested_id_list nested_id_element 787 ; 788 nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; } identifier | nested_id_set 789 ; 790 identifier : IDENTIFIER 791 { if (insert_id(yytext,0)) return -1; } 792 ; 793 filesystem : FILESYSTEM 794 { if (insert_id(yytext,0)) return -1; } 795 | IDENTIFIER 796 { if (insert_id(yytext,0)) return -1; } 797 ; 798 path : PATH 799 { if (insert_id(yytext,0)) return -1; } 800 ; 801 filename : FILENAME 802 { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; } 803 ; 804 number : NUMBER 805 { $$ = strtoul(yytext,NULL,0); } 806 ; 807 ipv6_addr : IPV6_ADDR 808 { if (insert_id(yytext,0)) return -1; } 809 ; 810 policycap_def : POLICYCAP identifier ';' 811 {if (define_polcap()) return -1;} 812 ; 813 permissive_def : PERMISSIVE identifier ';' 814 {if (define_permissive()) return -1;} 815 816 /*********** module grammar below ***********/ 817 818 module_policy : module_def avrules_block 819 { if (end_avrule_block(pass) == -1) return -1; 820 if (policydb_index_others(NULL, policydbp, 0)) return -1; 821 } 822 ; 823 module_def : MODULE identifier version_identifier ';' 824 { if (define_policy(pass, 1) == -1) return -1; } 825 ; 826 version_identifier : VERSION_IDENTIFIER 827 { if (insert_id(yytext,0)) return -1; } 828 | number 829 { if (insert_id(yytext,0)) return -1; } 830 | ipv4_addr_def /* version can look like ipv4 address */ 831 ; 832 avrules_block : avrule_decls avrule_user_defs 833 ; 834 avrule_decls : avrule_decls avrule_decl 835 | avrule_decl 836 ; 837 avrule_decl : rbac_decl 838 | te_decl 839 | cond_stmt_def 840 | require_block 841 | optional_block 842 | ';' 843 ; 844 require_block : REQUIRE '{' require_list '}' 845 ; 846 require_list : require_list require_decl 847 | require_decl 848 ; 849 require_decl : require_class ';' 850 | require_decl_def require_id_list ';' 851 ; 852 require_class : CLASS identifier names 853 { if (require_class(pass)) return -1; } 854 ; 855 require_decl_def : ROLE { $$ = require_role; } 856 | TYPE { $$ = require_type; } 857 | ATTRIBUTE { $$ = require_attribute; } 858 | ATTRIBUTE_ROLE { $$ = require_attribute_role; } 859 | USER { $$ = require_user; } 860 | BOOL { $$ = require_bool; } 861 | TUNABLE { $$ = require_tunable; } 862 | SENSITIVITY { $$ = require_sens; } 863 | CATEGORY { $$ = require_cat; } 864 ; 865 require_id_list : identifier 866 { if ($<require_func>0 (pass)) return -1; } 867 | require_id_list ',' identifier 868 { if ($<require_func>0 (pass)) return -1; } 869 ; 870 optional_block : optional_decl '{' avrules_block '}' 871 { if (end_avrule_block(pass) == -1) return -1; } 872 optional_else 873 { if (end_optional(pass) == -1) return -1; } 874 ; 875 optional_else : else_decl '{' avrules_block '}' 876 { if (end_avrule_block(pass) == -1) return -1; } 877 | /* empty */ 878 ; 879 optional_decl : OPTIONAL 880 { if (begin_optional(pass) == -1) return -1; } 881 ; 882 else_decl : ELSE 883 { if (begin_optional_else(pass) == -1) return -1; } 884 ; 885 avrule_user_defs : user_def avrule_user_defs 886 | /* empty */ 887 ; 888