RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
selinux/checkpolicy/policy_scan.l

398 lines
9.2 KiB
Plaintext
Raw Permalink Normal View History

initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
/*
checkpolicy,libselinux,libsepol,policycoreutils,semodule-utils: update my email Update my email address. Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: James Carter <jwcart2@gmail.com>
2023-07-19 17:36:36 +00:00
* Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
*/
/* Updated: David Caplan, <dac@tresys.com>
*
* Added conditional policy language extensions
*
* Jason Tang <jtang@tresys.com>
*
* Added support for binary policy modules
*
* Copyright (C) 2003-5 Tresys Technology, LLC
checkpolicy: Add support for ibpkeycon labels Add checkpolicy support for scanning and parsing ibpkeycon labels. Also create a new ocontext for Infiniband Pkeys and define a new policydb version for infiniband support. Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-22 13:08:23 +00:00
* Copyright (C) 2017 Mellanox Technologies Inc.
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
*/
/* FLASK */
%{
#include <sys/types.h>
checkpolicy: include <ctype.h> for isprint(3) Include the necessary header for isprint(3) to avoid an implicit function declaration: policy_scan.l: In function ‘yyerror’: policy_scan.l:342:13: warning: implicit declaration of function ‘isprint’ [-Wimplicit-function-declaration] 342 | if (isprint((unsigned char)yytext[0])) { | ^~~~~~~ policy_scan.l:36:1: note: include ‘<ctype.h>’ or provide a declaration of ‘isprint’ 35 | #include "y.tab.h" +++ |+#include <ctype.h> 36 | #endif This does not currently break the build cause -Werror is stripped for the parsing code to avoid breakage on old flex/bison versions that might not generate warning free code. Fixes: 39b3cc51350a ("checkpolicy: handle unprintable token") Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
2024-04-02 15:29:20 +00:00
#include <ctype.h>
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
#include <limits.h>
#include <stdint.h>
#include <string.h>
Fix gcc -Wstrict-prototypes warnings In C, defining a function with () means "any number of parameters", not "no parameter". Use (void) instead where applicable and add unused parameters when needed. Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-09-14 21:41:49 +00:00
typedef int (* require_func_t)(void);
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
checkpolicy: Android/MacOS X build support Android/MacOS X build support for checkpolicy. Create a Android.mk file for Android build integration. Introduce DARWIN ifdefs for building on MacOS X. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-02-23 15:14:13 +00:00
#ifdef ANDROID
#include "policy_parse.h"
#else
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
#include "y.tab.h"
checkpolicy: Android/MacOS X build support Android/MacOS X build support for checkpolicy. Create a Android.mk file for Android build integration. Introduce DARWIN ifdefs for building on MacOS X. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-02-23 15:14:13 +00:00
#endif
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
static char linebuf[2][255];
static unsigned int lno = 0;
checkpolicy: Add --werror flag to checkmodule and checkpolicy to treat warnings as errors. When the lexer encounters an unexpected character in a policy source file, it prints a warning, discards the character and moves on. In some build environments, these characters could be a symptom of an earlier problem, such as unintended results of expansion of preprocessor macros, and the ability to have the compiler halt on such issues would be helpful for diagnosis. Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-03-05 18:40:34 +00:00
int werror = 0;
checkpolicy: add missing forward declaration policy_scan.l:294:3: warning: implicit declaration of function 'yyerror' is invalid in C99 [-Wimplicit-function-declaration] { yyerror("unrecognized character");} ^ policy_scan.l:294:3: warning: this function declaration is not a prototype [-Wstrict-prototypes] Acked-by: William Roberts <william.c.roberts@intel.com> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-03-23 18:26:33 +00:00
int yyerror(const char *msg);
checkpolicy: constify the message written by yyerror and yywarn Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-09-14 21:41:39 +00:00
int yywarn(const char *msg);
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
checkpolicy/fuzz: override YY_FATAL_ERROR The default action of the lexer macro YY_FATAL_ERROR(msg) is to print the message and call exit(). This might happen on an overlong token (8192 bytes) that does not fit into the token buffer. Fuzz targets must not call exit() though, since an exit is treated as an abnormal behavior, see https://llvm.org/docs/LibFuzzer.html#fuzz-target. Since YY_FATAL_ERROR is used in functions with different return value types and is expected to not return, jump to a location in the fuzzer right before yyparse() instead. Reported-by: oss-fuzz (issue 67728) Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
2024-04-02 15:29:21 +00:00
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
/*
* Version that does not exit, like yy_fatal_error(),
* since fuzz targets must not call exit().
*/
#include <setjmp.h>
extern jmp_buf fuzzing_pre_parse_stack_state;
void yyfatal(const char *msg)
{
yyerror(msg);
longjmp(fuzzing_pre_parse_stack_state, 1);
}
#define YY_FATAL_ERROR(msg) yyfatal(msg)
#endif
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
void set_source_file(const char *name);
char source_file[PATH_MAX];
unsigned long source_lineno = 1;
unsigned long policydb_lineno = 1;
unsigned int policydb_errors = 0;
%}
checkpolicy: Android/MacOS X build support Android/MacOS X build support for checkpolicy. Create a Android.mk file for Android build integration. Introduce DARWIN ifdefs for building on MacOS X. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-02-23 15:14:13 +00:00
%option noinput nounput noyywrap
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
%array
letter [A-Za-z]
digit [0-9]
alnum [a-zA-Z0-9]
hexval [0-9A-Fa-f]
%%
checkpolicy: print warning on source line overflow In case the source line value overflows or has a too big value in the source policy print a warning. policy_scan.l:273:19: runtime error: implicit conversion from type 'int' of value -2 (32-bit, signed) to type 'unsigned long' changed the value to 18446744073709551614 (64-bit, unsigned) policy_scan.l:66:20: runtime error: unsigned integer overflow: 18446744073709551615 + 1 cannot be represented in type 'unsigned long' Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-14 12:48:27 +00:00
\n.* {
checkpolicy: ignore possible string truncation The source code line content, saved to improve error reporting, might get truncated, as the current Bison source buffer is 8192 bytes long and only 254 bytes (plus NUL-terminator) are reserved. As the saved string is only used for improving error reports and source lines longer than 254 character are quite uncommon, simply silence the GCC warning. In file included from /usr/include/string.h:519, from lex.yy.c:20: In function ‘strncpy’, inlined from ‘yylex’ at policy_scan.l:63:7: /usr/include/x86_64-linux-gnu/bits/string_fortified.h:91:10: warning: ‘__builtin_strncpy’ output may be truncated copying 255 bytes from a string of length 8190 [-Wstringop-truncation] 91 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-11-12 15:41:54 +00:00
#if defined(__GNUC__) && __GNUC__ >= 8
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wstringop-truncation"
#endif
checkpolicy: print warning on source line overflow In case the source line value overflows or has a too big value in the source policy print a warning. policy_scan.l:273:19: runtime error: implicit conversion from type 'int' of value -2 (32-bit, signed) to type 'unsigned long' changed the value to 18446744073709551614 (64-bit, unsigned) policy_scan.l:66:20: runtime error: unsigned integer overflow: 18446744073709551615 + 1 cannot be represented in type 'unsigned long' Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-14 12:48:27 +00:00
strncpy(linebuf[lno], yytext+1, 255);
checkpolicy: ignore possible string truncation The source code line content, saved to improve error reporting, might get truncated, as the current Bison source buffer is 8192 bytes long and only 254 bytes (plus NUL-terminator) are reserved. As the saved string is only used for improving error reports and source lines longer than 254 character are quite uncommon, simply silence the GCC warning. In file included from /usr/include/string.h:519, from lex.yy.c:20: In function ‘strncpy’, inlined from ‘yylex’ at policy_scan.l:63:7: /usr/include/x86_64-linux-gnu/bits/string_fortified.h:91:10: warning: ‘__builtin_strncpy’ output may be truncated copying 255 bytes from a string of length 8190 [-Wstringop-truncation] 91 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-11-12 15:41:54 +00:00
#if defined(__GNUC__) && __GNUC__ >= 8
#pragma GCC diagnostic pop
#endif
checkpolicy: print warning on source line overflow In case the source line value overflows or has a too big value in the source policy print a warning. policy_scan.l:273:19: runtime error: implicit conversion from type 'int' of value -2 (32-bit, signed) to type 'unsigned long' changed the value to 18446744073709551614 (64-bit, unsigned) policy_scan.l:66:20: runtime error: unsigned integer overflow: 18446744073709551615 + 1 cannot be represented in type 'unsigned long' Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-14 12:48:27 +00:00
linebuf[lno][254] = 0;
lno = 1 - lno;
policydb_lineno++;
if (source_lineno == ULONG_MAX)
yywarn("source line number overflow");
else
source_lineno++;
yyless(1);
}
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
COMMON |
common { return(COMMON); }
CLASS |
class { return(CLASS); }
CONSTRAIN |
constrain { return(CONSTRAIN); }
VALIDATETRANS |
validatetrans { return(VALIDATETRANS); }
INHERITS |
inherits { return(INHERITS); }
SID |
sid { return(SID); }
ROLE |
role { return(ROLE); }
ROLES |
roles { return(ROLES); }
Add role attribute support when compiling modules. 1. Add a uint32_t "flavor" field and an ebitmap "roles" to the role_datum_t structure; 2. Add a new "attribute_role" statement and its handler to declare a role attribute; 3. Modify declare_role() to setup role_datum_t.flavor according to the isattr argument; 4. Add a new "roleattribute" rule and its handler, which will record the regular role's (policy value - 1) into the role attribute's role_datum_t.roles ebitmap; 5. Modify the syntax for the role-types rule only to define the role-type associations; 6. Add a new role-attr rule to support the declaration of a single role, and optionally the role attribute that the role belongs to; 7. Check if the new_role used in role-transition rule is a regular role; 8. Support to require a role attribute; 9. Modify symtab_insert() to allow multiple declarations only for the regular role, while a role attribute can't be declared more than once and can't share a same name with another regular role. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-07-25 01:23:54 +00:00
ROLEATTRIBUTE |
roleattribute { return(ROLEATTRIBUTE);}
ATTRIBUTE_ROLE |
attribute_role { return(ATTRIBUTE_ROLE);}
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
TYPES |
types { return(TYPES); }
TYPEALIAS |
typealias { return(TYPEALIAS); }
TYPEATTRIBUTE |
typeattribute { return(TYPEATTRIBUTE); }
Author: KaiGai Kohei Email: kaigai@ak.jp.nec.com Subject: Thread/Child-Domain Assignment (rev.2) Date: Tue, 05 Aug 2008 14:55:52 +0900 [2/3] thread-context-checkpolicy.2.patch It enables to support TYPEBOUNDS statement and to expand existing hierarchies implicitly. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> -- module_compiler.c | 86 +++++++++++++++++++++++++++++++++++++++++++++++++ policy_define.c | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++++- policy_define.h | 1 policy_parse.y | 5 ++ policy_scan.l | 2 + 5 files changed, 186 insertions(+), 1 deletion(-) Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-10-08 10:56:51 +00:00
TYPEBOUNDS |
typebounds { return(TYPEBOUNDS); }
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
TYPE |
type { return(TYPE); }
BOOL |
bool { return(BOOL); }
checkpolicy: Separate tunable from boolean during compile. Both boolean and tunable keywords are processed by define_bool_tunable(), argument 0 and 1 would be passed for boolean and tunable respectively. For tunable, a TUNABLE flag would be set in cond_bool_datum_t.flags. Note, when creating an if-else conditional we can not know if the tunable identifier is indeed a tunable(for example, a boolean may be misused in tunable_policy() or vice versa), thus the TUNABLE flag for cond_node_t would be calculated and used in expansion when all booleans/tunables copied during link. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-01 03:29:41 +00:00
TUNABLE |
tunable { return(TUNABLE); }
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
IF |
if { return(IF); }
ELSE |
else { return(ELSE); }
ALIAS |
alias { return(ALIAS); }
ATTRIBUTE |
attribute { return(ATTRIBUTE); }
Add attribute expansion options This commit adds attribute expansion statements to the policy language allowing compiler defaults to be overridden. Always expands an attribute example: expandattribute { foo } true; CIL example: (expandtypeattribute (foo) true) Never expand an attribute example: expandattribute { bar } false; CIL example: (expandtypeattribute (bar) false) Adding the annotations directly to policy was chosen over other methods as it is consistent with how targeted runtime optimizations are specified in other languages. For example, in C the "inline" command. Motivation expandattribute true: Android has been moving away from a monolithic policy binary to a two part split policy representing the Android platform and the underlying vendor-provided hardware interface. The goal is a stable API allowing these two parts to be updated independently of each other. Attributes provide an important mechanism for compatibility. For example, when the vendor provides a HAL for the platform, permissions needed by clients of the HAL can be granted to an attribute. Clients need only be assigned the attribute and do not need to be aware of the underlying types and permissions being granted. Inheriting permissions via attribute creates a convenient mechanism for independence between vendor and platform policy, but results in the creation of many attributes, and the potential for performance issues when processes are clients of many HALs. [1] Annotating these attributes for expansion at compile time allows us to retain the compatibility benefits of using attributes without the performance costs. [2] expandattribute false: Commit 0be23c3f15fd added the capability to aggresively remove unused attributes. This is generally useful as too many attributes assigned to a type results in lengthy policy look up times when there is a cache miss. However, removing attributes can also result in loss of information used in external tests. On Android, we're considering stripping neverallow rules from on-device policy. This is consistent with the kernel policy binary which also did not contain neverallows. Removing neverallow rules results in a 5-10% decrease in on-device policy build and load and a policy size decrease of ~250k. Neverallow rules are still asserted at build time and during device certification (CTS). If neverallow rules are absent when secilc is run, some attributes are being stripped from policy and neverallow tests in CTS may be violated. [3] This change retains the aggressive attribute stripping behavior but adds an override mechanism to preserve attributes marked as necessary. [1] https://github.com/SELinuxProject/cil/issues/9 [2] Annotating all HAL client attributes for expansion resulted in system_server's dropping from 19 attributes to 8. Because these attributes were not widely applied to other types, the final policy size change was negligible. [3] data_file_type and service_manager_type are stripped from AOSP policy when using secilc's -G option. This impacts 11 neverallow tests in CTS. Test: Build and boot Marlin with all hal_*_client attributes marked for expansion. Verify (using seinfo and sesearch) that permissions are correctly expanded from attributes to types. Test: Mark types being stripped by secilc with "preserve" and verify that they are retained in policy and applied to the same types. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2017-05-04 21:36:49 +00:00
EXPANDATTRIBUTE |
expandattribute { return(EXPANDATTRIBUTE); }
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
TYPE_TRANSITION |
type_transition { return(TYPE_TRANSITION); }
TYPE_MEMBER |
type_member { return(TYPE_MEMBER); }
TYPE_CHANGE |
type_change { return(TYPE_CHANGE); }
ROLE_TRANSITION |
role_transition { return(ROLE_TRANSITION); }
RANGE_TRANSITION |
range_transition { return(RANGE_TRANSITION); }
SENSITIVITY |
sensitivity { return(SENSITIVITY); }
DOMINANCE |
dominance { return(DOMINANCE); }
CATEGORY |
category { return(CATEGORY); }
LEVEL |
level { return(LEVEL); }
RANGE |
range { return(RANGE); }
MLSCONSTRAIN |
mlsconstrain { return(MLSCONSTRAIN); }
MLSVALIDATETRANS |
mlsvalidatetrans { return(MLSVALIDATETRANS); }
USER |
user { return(USER); }
NEVERALLOW |
neverallow { return(NEVERALLOW); }
ALLOW |
allow { return(ALLOW); }
AUDITALLOW |
auditallow { return(AUDITALLOW); }
AUDITDENY |
auditdeny { return(AUDITDENY); }
DONTAUDIT |
dontaudit { return(DONTAUDIT); }
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-12 16:01:12 +00:00
ALLOWXPERM |
Add neverallow support for ioctl extended permissions Neverallow rules for ioctl extended permissions will pass in two cases: 1. If extended permissions exist for the source-target-class set the test will pass if the neverallow values are excluded. 2. If extended permissions do not exist for the source-target-class set the test will pass if the ioctl permission is not granted. Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Nick Kralevich <nnk@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-09-18 19:57:56 +00:00
allowxperm { return(ALLOWXPERM); }
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-12 16:01:12 +00:00
AUDITALLOWXPERM |
Add neverallow support for ioctl extended permissions Neverallow rules for ioctl extended permissions will pass in two cases: 1. If extended permissions exist for the source-target-class set the test will pass if the neverallow values are excluded. 2. If extended permissions do not exist for the source-target-class set the test will pass if the ioctl permission is not granted. Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Nick Kralevich <nnk@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-09-18 19:57:56 +00:00
auditallowxperm { return(AUDITALLOWXPERM); }
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-12 16:01:12 +00:00
DONTAUDITXPERM |
Add neverallow support for ioctl extended permissions Neverallow rules for ioctl extended permissions will pass in two cases: 1. If extended permissions exist for the source-target-class set the test will pass if the neverallow values are excluded. 2. If extended permissions do not exist for the source-target-class set the test will pass if the ioctl permission is not granted. Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Nick Kralevich <nnk@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-09-18 19:57:56 +00:00
dontauditxperm { return(DONTAUDITXPERM); }
NEVERALLOWXPERM |
neverallowxperm { return(NEVERALLOWXPERM); }
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
SOURCE |
source { return(SOURCE); }
TARGET |
target { return(TARGET); }
SAMEUSER |
sameuser { return(SAMEUSER);}
module|MODULE { return(MODULE); }
require|REQUIRE { return(REQUIRE); }
optional|OPTIONAL { return(OPTIONAL); }
OR |
or { return(OR);}
AND |
and { return(AND);}
NOT |
not { return(NOT);}
xor |
XOR { return(XOR); }
eq |
EQ { return(EQUALS);}
true |
TRUE { return(CTRUE); }
false |
FALSE { return(CFALSE); }
dom |
DOM { return(DOM);}
domby |
DOMBY { return(DOMBY);}
INCOMP |
incomp { return(INCOMP);}
fscon |
FSCON { return(FSCON);}
checkpolicy: Add support for ibpkeycon labels Add checkpolicy support for scanning and parsing ibpkeycon labels. Also create a new ocontext for Infiniband Pkeys and define a new policydb version for infiniband support. Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-22 13:08:23 +00:00
ibpkeycon |
IBPKEYCON { return(IBPKEYCON);}
checkpolicy: Add support for ibendportcon labels Add checkpolicy support for scanning and parsing ibendportcon labels. Also create a new ocontext for IB end ports. Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-22 13:08:26 +00:00
ibendportcon |
IBENDPORTCON { return(IBENDPORTCON);}
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
portcon |
PORTCON { return(PORTCON);}
netifcon |
NETIFCON { return(NETIFCON);}
nodecon |
NODECON { return(NODECON);}
checkpolicy: Add support for multiple target OSes Updated patch of checkpolicy based on input. On Tue, 2009-09-15 at 12:37 -0400, pjnuzzi wrote: > Add support for multiple target OSes by adding the -t target option to > checkpolicy. Implemented the new Xen ocontext identifiers pirqcon, > pcidevicecon, iomemcon and ioportcon. > > Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> > > --- checkpolicy/checkpolicy.c | 20 ++- checkpolicy/policy_define.c | 272 ++++++++++++++++++++++++++++++++++++++++++++ checkpolicy/policy_define.h | 4 checkpolicy/policy_parse.y | 29 ++++ checkpolicy/policy_scan.l | 10 + 5 files changed, 330 insertions(+), 5 deletions(-) Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-09-29 14:06:26 +00:00
pirqcon |
PIRQCON { return(PIRQCON);}
iomemcon |
IOMEMCON { return(IOMEMCON);}
ioportcon |
IOPORTCON { return(IOPORTCON);}
pcidevicecon |
PCIDEVICECON { return(PCIDEVICECON);}
libsepol, checkpolicy: add device tree ocontext nodes to Xen policy In Xen on ARM, device tree nodes identified by a path (string) need to be labeled by the security policy. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-17 20:43:24 +00:00
devicetreecon |
DEVICETREECON { return(DEVICETREECON);}
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
fs_use_xattr |
FS_USE_XATTR { return(FSUSEXATTR);}
fs_use_task |
FS_USE_TASK { return(FSUSETASK);}
fs_use_trans |
FS_USE_TRANS { return(FSUSETRANS);}
genfscon |
GENFSCON { return(GENFSCON);}
r1 |
R1 { return(R1); }
r2 |
R2 { return(R2); }
r3 |
R3 { return(R3); }
u1 |
U1 { return(U1); }
u2 |
U2 { return(U2); }
u3 |
U3 { return(U3); }
t1 |
T1 { return(T1); }
t2 |
T2 { return(T2); }
t3 |
T3 { return(T3); }
l1 |
L1 { return(L1); }
l2 |
L2 { return(L2); }
h1 |
H1 { return(H1); }
h2 |
H2 { return(H2); }
policycap |
POLICYCAP { return(POLICYCAP); }
permissive |
PERMISSIVE { return(PERMISSIVE); }
libsepol: checkpolicy: implement new default labeling behaviors We would like to be able to say that the user, role, or range of a newly created object should be based on the user, role, or range of either the source or the target of the creation operation. aka, for a new file this could be the user of the creating process or the user or the parent directory. This patch implements the new language and the policydb support to give this information to the kernel. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-12-05 18:28:51 +00:00
default_user |
DEFAULT_USER { return(DEFAULT_USER); }
default_role |
DEFAULT_ROLE { return(DEFAULT_ROLE); }
checkpolicy: libsepol: implement default type policy syntax We currently have a mechanism in which the default user, role, and range can be picked up from the source or the target object. This implements the same thing for types. The kernel will override this with type transition rules and similar. This is just the default if nothing specific is given. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-12-18 16:41:25 +00:00
default_type |
DEFAULT_TYPE { return(DEFAULT_TYPE); }
libsepol: checkpolicy: implement new default labeling behaviors We would like to be able to say that the user, role, or range of a newly created object should be based on the user, role, or range of either the source or the target of the creation operation. aka, for a new file this could be the user of the creating process or the user or the parent directory. This patch implements the new language and the policydb support to give this information to the kernel. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-12-05 18:28:51 +00:00
default_range |
DEFAULT_RANGE { return(DEFAULT_RANGE); }
low-high |
LOW-HIGH { return(LOW_HIGH); }
high |
HIGH { return(HIGH); }
low |
LOW { return(LOW); }
Add default_range glblub support Policy developers can set a default_range default to glblub and computed contexts will be the intersection of the ranges of the source and target contexts. This can be used by MLS userspace object managers to find the range of clearances that two contexts have in common. An example usage is computing a transition between the network context and the context of a user logging into an MLS application. For example, one can add a default with this cil: (defaultrange db_table glblub) or in te (base module only): default_range db_table glblub; and then test using the compute_create utility: $ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 Some example range transitions are: User Permitted Range | Network Device Label | Computed Label ---------------------|----------------------|---------------- s0-s1:c0.c12 | s0 | s0 s0-s1:c0.c12 | s0-s1:c0.c1023 | s0-s1:c0.c12 s0-s4:c0.c512 | s1-s1:c0.c1023 | s1-s1:c0.c512 s0-s15:c0,c2 | s4-s6:c0.c128 | s4-s6:c0,c2 s0-s4 | s2-s6 | s2-s4 s0-s4 | s5-s8 | INVALID s5-s8 | s0-s4 | INVALID Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
2019-09-09 18:05:57 +00:00
glblub |
GLBLUB { return(GLBLUB); }
Extend checkpolicy pathname matching. checkpolicy currently imposes arbitrary limits on pathnames used in genfscon and other statements. This prevents specifying certain paths in /proc such as those containing comma (,) characters. Generalize the PATH, QPATH, and FILENAME patterns to support most legal pathnames. For simplicity, we do not support pathnames containing newlines or quotes. Reported-by: Inamdar Sharif <isharif@nvidia.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-07-14 14:48:47 +00:00
"/"[^ \n\r\t\f]* { return(PATH); }
\""/"[^\"\n]*\" { return(QPATH); }
\"[^"/"\"\n]+\" { return(FILENAME); }
Genfscon 'dash' issue On Tue, 2008-10-14 at 02:00 +0000, korkishko Tymur wrote: > I have checked policy_parse.y. It has following rule for genfscon: > > genfs_context_def : GENFSCON identifier path '-' identifier security_context_def > {if (define_genfs_context(1)) return -1;} > | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def > {if (define_genfs_context(1)) return -1;} > | GENFSCON identifier path security_context_def > {if (define_genfs_context(0)) return -1;} > > The rule for path definition (in policy_scan.l) has already included '-' (dash): > > "/"({alnum}|[_.-/])* { return(PATH); } > > In my understanding (maybe wrong), path is parsed first (and path might include '-') and only then separate '-' is parsed. > But it still produces an error if path definition is correct and includes '-'. > > Any ideas/patches how to fix grammar rules are welcomed. This looks like a bug in policy_scan.l - we are not escaping (via backslash) special characters in the pattern and thus the "-" (dash) is being interpreted rather than taken literally. The same would seemingly apply for "." (dot), and would seem relevant not only to PATH but also for IDENTIFIER. The patch below seems to fix this issue for me:
2008-10-14 14:57:24 +00:00
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
checkpolicy: Add support for multiple target OSes Updated patch of checkpolicy based on input. On Tue, 2009-09-15 at 12:37 -0400, pjnuzzi wrote: > Add support for multiple target OSes by adding the -t target option to > checkpolicy. Implemented the new Xen ocontext identifiers pirqcon, > pcidevicecon, iomemcon and ioportcon. > > Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> > > --- checkpolicy/checkpolicy.c | 20 ++- checkpolicy/policy_define.c | 272 ++++++++++++++++++++++++++++++++++++++++++++ checkpolicy/policy_define.h | 4 checkpolicy/policy_parse.y | 29 ++++ checkpolicy/policy_scan.l | 10 + 5 files changed, 330 insertions(+), 5 deletions(-) Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-09-29 14:06:26 +00:00
{digit}+|0x{hexval}+ { return(NUMBER); }
checkpolicy: Fix precedence between number and filesystem tokens. When the FILESYSTEM token was added to support filesystem names that start with a digit (e.g. 9p), it was given higher precedence than NUMBER and therefore all values specified in hex (with 0x prefix) in policy will incorrectly match FILESYSTEM and yield a syntax error. This breaks use of iomem ranges in Xen policy and will break ioctl command ranges in a future SELinux policy version. Switch the precedence. This does mean that you cannot currently have a filesystem with a name that happens to be 0x followed by a hexval but hopefully that isn't an issue. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-10 16:39:17 +00:00
{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
checkpolicy: support CIDR notation for nodecon statements Support the Classless Inter-Domain Routing (CIDR) notation for IP addresses with their associated network masks in nodecon statements. The two following statements are equivalent: nodecon 10.8.0.0 255.255.0.0 USER1:ROLE1:TYPE1 nodecon 10.8.0.0/16 USER1:ROLE1:TYPE1 Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
2024-05-08 17:04:22 +00:00
{digit}{1,3}(\.{digit}{1,3}){3}"/"{digit}{1,2} { return(IPV4_CIDR); }
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
checkpolicy: support CIDR notation for nodecon statements Support the Classless Inter-Domain Routing (CIDR) notation for IP addresses with their associated network masks in nodecon statements. The two following statements are equivalent: nodecon 10.8.0.0 255.255.0.0 USER1:ROLE1:TYPE1 nodecon 10.8.0.0/16 USER1:ROLE1:TYPE1 Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
2024-05-08 17:04:22 +00:00
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*"/"{digit}{1,3} { return(IPV6_CIDR); }
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
#line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
checkpolicy: print warning on source line overflow In case the source line value overflows or has a too big value in the source policy print a warning. policy_scan.l:273:19: runtime error: implicit conversion from type 'int' of value -2 (32-bit, signed) to type 'unsigned long' changed the value to 18446744073709551614 (64-bit, unsigned) policy_scan.l:66:20: runtime error: unsigned integer overflow: 18446744073709551615 + 1 cannot be represented in type 'unsigned long' Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-14 12:48:27 +00:00
#line[ ]{digit}+ {
errno = 0;
source_lineno = strtoul(yytext+6, NULL, 10) - 1;
if (errno) {
yywarn("source line number too big");
}
}
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
#[^\n]* { /* delete comments */ }
[ \t\f]+ { /* delete whitespace */ }
"==" { return(EQUALS); }
"!=" { return (NOTEQUAL); }
"&&" { return (AND); }
"||" { return (OR); }
"!" { return (NOT); }
"^" { return (XOR); }
"," |
":" |
";" |
"(" |
")" |
"{" |
"}" |
"[" |
"-" |
"." |
"]" |
"~" |
"*" { return(yytext[0]); }
checkpolicy: use YYerror only when available The special error value YYerror is only available since bison 3.6 (released 2020). For example the version used by oss-fuzz does not support it. Use a special token in case YYerror is not available. Only downside is a duplicate error message, one from the manual yyerror() call and one from within bison for the unexpected special token (which would be omitted by using YYerror). Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
2024-03-22 14:50:48 +00:00
. { yyerror("unrecognized character");
/* Available since bison 3.6, avoids duplicate error message */
#ifdef YYerror
return YYerror;
#else
return INVALID_CHAR;
#endif
}
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
%%
checkpolicy: constify the message written by yyerror and yywarn Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-09-14 21:41:39 +00:00
int yyerror(const char *msg)
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
{
checkpolicy: add libfuzz based fuzzer Introduce a libfuzz[1] based fuzzer testing the parsing and policy generation code used within checkpolicy(8) and checkmodule(8), similar to the fuzzer for secilc(8). The fuzzer will work on generated source policy input and try to parse, link, expand, optimize, sort and output it. This fuzzer will also ensure policy validation is not too strict by checking compilable source policies are valid. Build the fuzzer in the oss-fuzz script. [1]: https://llvm.org/docs/LibFuzzer.html Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
2024-01-22 13:54:53 +00:00
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
checkpolicy: handle unprintable token In case the erroneous token is unprintable, e.g. a control character, print its hex value instead. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
2024-03-22 14:50:49 +00:00
const char *token;
char buf[8];
if (isprint((unsigned char)yytext[0])) {
token = yytext;
} else {
snprintf(buf, sizeof(buf), "%#x", yytext[0]);
token = buf;
}
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
if (source_file[0])
checkpolicy: use correct unsigned format specifiers The two variables policydb_lineno and source_lineno are both of the type unsigned long; use the appropriate format specifier. Found by Cppcheck Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-11-12 15:41:50 +00:00
fprintf(stderr, "%s:%lu:",
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
source_file, source_lineno);
else
fprintf(stderr, "(unknown source)::");
checkpolicy: use correct unsigned format specifiers The two variables policydb_lineno and source_lineno are both of the type unsigned long; use the appropriate format specifier. Found by Cppcheck Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-11-12 15:41:50 +00:00
fprintf(stderr, "ERROR '%s' at token '%s' on line %lu:\n%s\n%s\n",
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
msg,
checkpolicy: handle unprintable token In case the erroneous token is unprintable, e.g. a control character, print its hex value instead. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
2024-03-22 14:50:49 +00:00
token,
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
policydb_lineno,
linebuf[0], linebuf[1]);
checkpolicy: add libfuzz based fuzzer Introduce a libfuzz[1] based fuzzer testing the parsing and policy generation code used within checkpolicy(8) and checkmodule(8), similar to the fuzzer for secilc(8). The fuzzer will work on generated source policy input and try to parse, link, expand, optimize, sort and output it. This fuzzer will also ensure policy validation is not too strict by checking compilable source policies are valid. Build the fuzzer in the oss-fuzz script. [1]: https://llvm.org/docs/LibFuzzer.html Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
2024-01-22 13:54:53 +00:00
#else
(void)msg;
#endif
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
policydb_errors++;
return -1;
}
checkpolicy: constify the message written by yyerror and yywarn Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-09-14 21:41:39 +00:00
int yywarn(const char *msg)
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
{
checkpolicy: Add --werror flag to checkmodule and checkpolicy to treat warnings as errors. When the lexer encounters an unexpected character in a policy source file, it prints a warning, discards the character and moves on. In some build environments, these characters could be a symptom of an earlier problem, such as unintended results of expansion of preprocessor macros, and the ability to have the compiler halt on such issues would be helpful for diagnosis. Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-03-05 18:40:34 +00:00
if (werror)
return yyerror(msg);
checkpolicy: add libfuzz based fuzzer Introduce a libfuzz[1] based fuzzer testing the parsing and policy generation code used within checkpolicy(8) and checkmodule(8), similar to the fuzzer for secilc(8). The fuzzer will work on generated source policy input and try to parse, link, expand, optimize, sort and output it. This fuzzer will also ensure policy validation is not too strict by checking compilable source policies are valid. Build the fuzzer in the oss-fuzz script. [1]: https://llvm.org/docs/LibFuzzer.html Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
2024-01-22 13:54:53 +00:00
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
if (source_file[0])
checkpolicy: use correct unsigned format specifiers The two variables policydb_lineno and source_lineno are both of the type unsigned long; use the appropriate format specifier. Found by Cppcheck Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-11-12 15:41:50 +00:00
fprintf(stderr, "%s:%lu:",
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
source_file, source_lineno);
else
fprintf(stderr, "(unknown source)::");
checkpolicy: use correct unsigned format specifiers The two variables policydb_lineno and source_lineno are both of the type unsigned long; use the appropriate format specifier. Found by Cppcheck Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-11-12 15:41:50 +00:00
fprintf(stderr, "WARNING '%s' at token '%s' on line %lu:\n%s\n%s\n",
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
msg,
yytext,
policydb_lineno,
linebuf[0], linebuf[1]);
checkpolicy: add libfuzz based fuzzer Introduce a libfuzz[1] based fuzzer testing the parsing and policy generation code used within checkpolicy(8) and checkmodule(8), similar to the fuzzer for secilc(8). The fuzzer will work on generated source policy input and try to parse, link, expand, optimize, sort and output it. This fuzzer will also ensure policy validation is not too strict by checking compilable source policies are valid. Build the fuzzer in the oss-fuzz script. [1]: https://llvm.org/docs/LibFuzzer.html Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
2024-01-22 13:54:53 +00:00
#endif
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
return 0;
}
void set_source_file(const char *name)
{
source_lineno = 1;
strncpy(source_file, name, sizeof(source_file)-1);
source_file[sizeof(source_file)-1] = '\0';
Report source file and line information for neverallow failures. Change-Id: I0def97a5f2f6097e2dad7bcd5395b8fa740d7073 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-05 21:06:42 +00:00
if (strlen(source_file) && source_file[strlen(source_file)-1] == '"')
source_file[strlen(source_file)-1] = '\0';
initial import from svn trunk revision 2950
2008-08-19 19:30:36 +00:00
}