libsepol/cil: Allow IP address and mask values to be directly written
The nodecon statement requires that the IP address and mask values be enclosed in parentheses so that these values can be distinguished from named IP addresses. But since an identifier in CIL cannot start with a number or contain colons, the parentheses are not really required. Allow IP address and mask values to be written directly and do not require (but still allow) parentheses around them. Distinguish between an address or mask and an identifier by checking if the first character is a number or if the string contains a colon. Both of these are now valid: (nodecon (10.0.0.1) (255.255.255.0) (USER ROLE TYPE ((SENS) (SENS)))) (nodecon 10.0.0.1 255.255.255.0 (USER ROLE TYPE ((SENS) (SENS)))) Signed-off-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
parent
557cda5974
commit
dc676ab126
|
@ -4387,26 +4387,42 @@ int cil_gen_nodecon(struct cil_db *db, struct cil_tree_node *parse_current, stru
|
||||||
|
|
||||||
cil_nodecon_init(&nodecon);
|
cil_nodecon_init(&nodecon);
|
||||||
|
|
||||||
if (parse_current->next->cl_head == NULL ) {
|
if (parse_current->next->cl_head) {
|
||||||
nodecon->addr_str = parse_current->next->data;
|
|
||||||
} else {
|
|
||||||
cil_ipaddr_init(&nodecon->addr);
|
cil_ipaddr_init(&nodecon->addr);
|
||||||
|
|
||||||
rc = cil_fill_ipaddr(parse_current->next->cl_head, nodecon->addr);
|
rc = cil_fill_ipaddr(parse_current->next->cl_head, nodecon->addr);
|
||||||
if (rc != SEPOL_OK) {
|
if (rc != SEPOL_OK) {
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
char *addr = parse_current->next->data;
|
||||||
|
if (strchr(addr, ':') || (strchr(addr, '.') && isdigit(addr[0]))) {
|
||||||
|
cil_ipaddr_init(&nodecon->addr);
|
||||||
|
rc = cil_fill_ipaddr(parse_current->next, nodecon->addr);
|
||||||
|
if (rc != SEPOL_OK) {
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
nodecon->addr_str = addr;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (parse_current->next->next->cl_head == NULL ) {
|
if (parse_current->next->next->cl_head) {
|
||||||
nodecon->mask_str = parse_current->next->next->data;
|
|
||||||
} else {
|
|
||||||
cil_ipaddr_init(&nodecon->mask);
|
cil_ipaddr_init(&nodecon->mask);
|
||||||
|
|
||||||
rc = cil_fill_ipaddr(parse_current->next->next->cl_head, nodecon->mask);
|
rc = cil_fill_ipaddr(parse_current->next->next->cl_head, nodecon->mask);
|
||||||
if (rc != SEPOL_OK) {
|
if (rc != SEPOL_OK) {
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
char *mask = parse_current->next->next->data;
|
||||||
|
if (strchr(mask, ':') || (strchr(mask, '.') && isdigit(mask[0]))) {
|
||||||
|
cil_ipaddr_init(&nodecon->mask);
|
||||||
|
rc = cil_fill_ipaddr(parse_current->next->next, nodecon->mask);
|
||||||
|
if (rc != SEPOL_OK) {
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
nodecon->mask_str = mask;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (parse_current->next->next->next->cl_head == NULL ) {
|
if (parse_current->next->next->next->cl_head == NULL ) {
|
||||||
|
@ -5584,15 +5600,19 @@ exit:
|
||||||
int cil_fill_ipaddr(struct cil_tree_node *addr_node, struct cil_ipaddr *addr)
|
int cil_fill_ipaddr(struct cil_tree_node *addr_node, struct cil_ipaddr *addr)
|
||||||
{
|
{
|
||||||
int rc = SEPOL_ERR;
|
int rc = SEPOL_ERR;
|
||||||
|
char *addr_str;
|
||||||
|
|
||||||
if (addr_node == NULL || addr_node->data == NULL || addr == NULL) {
|
if (addr_node == NULL || addr_node->data == NULL || addr == NULL) {
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (strchr(addr_node->data, ':') != NULL) {
|
addr_str = addr_node->data;
|
||||||
|
if (strchr(addr_str, ':')) {
|
||||||
addr->family = AF_INET6;
|
addr->family = AF_INET6;
|
||||||
} else {
|
} else if (strchr(addr_str, '.') && isdigit(addr_str[0])) {
|
||||||
addr->family = AF_INET;
|
addr->family = AF_INET;
|
||||||
|
} else {
|
||||||
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
rc = inet_pton(addr->family, addr_node->data, &addr->ip);
|
rc = inet_pton(addr->family, addr_node->data, &addr->ip);
|
||||||
|
@ -5604,7 +5624,7 @@ int cil_fill_ipaddr(struct cil_tree_node *addr_node, struct cil_ipaddr *addr)
|
||||||
return SEPOL_OK;
|
return SEPOL_OK;
|
||||||
|
|
||||||
exit:
|
exit:
|
||||||
cil_log(CIL_ERR, "Bad ip address or netmask: %s\n", (addr_node && addr_node->data) ? (const char *)addr_node->data : "n/a");
|
cil_log(CIL_ERR, "Bad ip address or netmask: %s\n", (addr_node && addr_node->data) ? (const char *)addr_node->data : "NULL");
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue