Extend checkpolicy pathname matching.

checkpolicy currently imposes arbitrary limits on pathnames used
in genfscon and other statements.  This prevents specifying certain
paths in /proc such as those containing comma (,) characters.

Generalize the PATH, QPATH, and FILENAME patterns to support most
legal pathnames.

For simplicity, we do not support pathnames containing newlines or
quotes.

Reported-by: Inamdar Sharif <isharif@nvidia.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2016-07-14 10:48:47 -04:00
parent c983674138
commit 2c1979f0a6

View File

@ -249,9 +249,9 @@ high |
HIGH { return(HIGH); }
low |
LOW { return(LOW); }
"/"({alnum}|[_\.\-/])* { return(PATH); }
\""/"[ !#-~]*\" { return(QPATH); }
\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); }
"/"[^ \n\r\t\f]* { return(PATH); }
\""/"[^\"\n]*\" { return(QPATH); }
\"[^"/"\"\n]+\" { return(FILENAME); }
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
{digit}+|0x{hexval}+ { return(NUMBER); }
{alnum}*{letter}{alnum}* { return(FILESYSTEM); }