* [PATCH] Checkpolicy: Allow filesystem names to start with a digit
@ 2011-01-12 21:29 James Carter
2011-05-17 14:26 ` Steve Lawrence
2012-02-09 17:43 ` Stephen Smalley
0 siblings, 2 replies; 3+ messages in thread
From: James Carter @ 2011-01-12 21:29 UTC (permalink / raw)
To: SELinux; +Cc: Daniel J Walsh
The patch below allows filesystem names in fs_use_* and genfscon
statements to start with a digit, but still requires at least one
character to be a letter. A new token type for filesystem names is
created since these names having nothing to do with SELinux.
This patch is needed because some filesystem names (such as 9p) start
with a digit.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
policy_parse.y | 14 ++++++++++----
policy_scan.l | 1 +
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index 8d1bc37..0777238 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -138,6 +138,7 @@ typedef int (* require_func_t)();
%token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
%token POLICYCAP
%token PERMISSIVE
+%token FILESYSTEM
%left OR
%left XOR
@@ -637,7 +638,7 @@ opt_fs_uses : fs_uses
fs_uses : fs_use_def
| fs_uses fs_use_def
;
-fs_use_def : FSUSEXATTR identifier security_context_def ';'
+fs_use_def : FSUSEXATTR filesystem security_context_def ';'
{if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;}
| FSUSETASK identifier security_context_def ';'
{if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;}
@@ -650,11 +651,11 @@ opt_genfs_contexts : genfs_contexts
genfs_contexts : genfs_context_def
| genfs_contexts genfs_context_def
;
-genfs_context_def : GENFSCON identifier path '-' identifier security_context_def
+genfs_context_def : GENFSCON filesystem path '-' identifier security_context_def
{if (define_genfs_context(1)) return -1;}
- | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
+ | GENFSCON filesystem path '-' '-' {insert_id("-", 0);} security_context_def
{if (define_genfs_context(1)) return -1;}
- | GENFSCON identifier path security_context_def
+ | GENFSCON filesystem path security_context_def
{if (define_genfs_context(0)) return -1;}
;
ipv4_addr_def : IPV4_ADDR
@@ -728,6 +729,11 @@ nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; }
identifier : IDENTIFIER
{ if (insert_id(yytext,0)) return -1; }
;
+filesystem : FILESYSTEM
+ { if (insert_id(yytext,0)) return -1; }
+ | IDENTIFIER
+ { if (insert_id(yytext,0)) return -1; }
+ ;
path : PATH
{ if (insert_id(yytext,0)) return -1; }
;
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 48128a8..65aff8d 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -217,6 +217,7 @@ permissive |
PERMISSIVE { return(PERMISSIVE); }
"/"({alnum}|[_\.\-/])* { return(PATH); }
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
+{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
{digit}+|0x{hexval}+ { return(NUMBER); }
{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] Checkpolicy: Allow filesystem names to start with a digit
2011-01-12 21:29 [PATCH] Checkpolicy: Allow filesystem names to start with a digit James Carter
@ 2011-05-17 14:26 ` Steve Lawrence
2012-02-09 17:43 ` Stephen Smalley
1 sibling, 0 replies; 3+ messages in thread
From: Steve Lawrence @ 2011-05-17 14:26 UTC (permalink / raw)
To: jwcart2; +Cc: SELinux, Daniel J Walsh
On 01/12/2011 04:29 PM, James Carter wrote:
> The patch below allows filesystem names in fs_use_* and genfscon
> statements to start with a digit, but still requires at least one
> character to be a letter. A new token type for filesystem names is
> created since these names having nothing to do with SELinux.
>
> This patch is needed because some filesystem names (such as 9p) start
> with a digit.
>
>
> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
>
> ---
> policy_parse.y | 14 ++++++++++----
> policy_scan.l | 1 +
> 2 files changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
> index 8d1bc37..0777238 100644
> --- a/checkpolicy/policy_parse.y
> +++ b/checkpolicy/policy_parse.y
> @@ -138,6 +138,7 @@ typedef int (* require_func_t)();
> %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
> %token POLICYCAP
> %token PERMISSIVE
> +%token FILESYSTEM
>
> %left OR
> %left XOR
> @@ -637,7 +638,7 @@ opt_fs_uses : fs_uses
> fs_uses : fs_use_def
> | fs_uses fs_use_def
> ;
> -fs_use_def : FSUSEXATTR identifier security_context_def ';'
> +fs_use_def : FSUSEXATTR filesystem security_context_def ';'
> {if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;}
> | FSUSETASK identifier security_context_def ';'
> {if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;}
> @@ -650,11 +651,11 @@ opt_genfs_contexts : genfs_contexts
> genfs_contexts : genfs_context_def
> | genfs_contexts genfs_context_def
> ;
> -genfs_context_def : GENFSCON identifier path '-' identifier security_context_def
> +genfs_context_def : GENFSCON filesystem path '-' identifier security_context_def
> {if (define_genfs_context(1)) return -1;}
> - | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
> + | GENFSCON filesystem path '-' '-' {insert_id("-", 0);} security_context_def
> {if (define_genfs_context(1)) return -1;}
> - | GENFSCON identifier path security_context_def
> + | GENFSCON filesystem path security_context_def
> {if (define_genfs_context(0)) return -1;}
> ;
> ipv4_addr_def : IPV4_ADDR
> @@ -728,6 +729,11 @@ nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; }
> identifier : IDENTIFIER
> { if (insert_id(yytext,0)) return -1; }
> ;
> +filesystem : FILESYSTEM
> + { if (insert_id(yytext,0)) return -1; }
> + | IDENTIFIER
> + { if (insert_id(yytext,0)) return -1; }
> + ;
> path : PATH
> { if (insert_id(yytext,0)) return -1; }
> ;
> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> index 48128a8..65aff8d 100644
> --- a/checkpolicy/policy_scan.l
> +++ b/checkpolicy/policy_scan.l
> @@ -217,6 +217,7 @@ permissive |
> PERMISSIVE { return(PERMISSIVE); }
> "/"({alnum}|[_\.\-/])* { return(PATH); }
> {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
> +{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
> {digit}+|0x{hexval}+ { return(NUMBER); }
> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
> {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
>
Applied in checkpolicy-2.0.26. Thanks!
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Checkpolicy: Allow filesystem names to start with a digit
2011-01-12 21:29 [PATCH] Checkpolicy: Allow filesystem names to start with a digit James Carter
2011-05-17 14:26 ` Steve Lawrence
@ 2012-02-09 17:43 ` Stephen Smalley
1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2012-02-09 17:43 UTC (permalink / raw)
To: jwcart2; +Cc: SELinux, Daniel J Walsh, Daniel De Graaf
On Wed, 2011-01-12 at 16:29 -0500, James Carter wrote:
> The patch below allows filesystem names in fs_use_* and genfscon
> statements to start with a digit, but still requires at least one
> character to be a letter. A new token type for filesystem names is
> created since these names having nothing to do with SELinux.
>
> This patch is needed because some filesystem names (such as 9p) start
> with a digit.
>
>
> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This causes hex values like 0xfed40 to match FILESYSTEM rather than
NUMBER, thereby breaking iomemcon object context entries for Xen
policies.
>
> ---
> policy_parse.y | 14 ++++++++++----
> policy_scan.l | 1 +
> 2 files changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
> index 8d1bc37..0777238 100644
> --- a/checkpolicy/policy_parse.y
> +++ b/checkpolicy/policy_parse.y
> @@ -138,6 +138,7 @@ typedef int (* require_func_t)();
> %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
> %token POLICYCAP
> %token PERMISSIVE
> +%token FILESYSTEM
>
> %left OR
> %left XOR
> @@ -637,7 +638,7 @@ opt_fs_uses : fs_uses
> fs_uses : fs_use_def
> | fs_uses fs_use_def
> ;
> -fs_use_def : FSUSEXATTR identifier security_context_def ';'
> +fs_use_def : FSUSEXATTR filesystem security_context_def ';'
> {if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;}
> | FSUSETASK identifier security_context_def ';'
> {if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;}
> @@ -650,11 +651,11 @@ opt_genfs_contexts : genfs_contexts
> genfs_contexts : genfs_context_def
> | genfs_contexts genfs_context_def
> ;
> -genfs_context_def : GENFSCON identifier path '-' identifier security_context_def
> +genfs_context_def : GENFSCON filesystem path '-' identifier security_context_def
> {if (define_genfs_context(1)) return -1;}
> - | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
> + | GENFSCON filesystem path '-' '-' {insert_id("-", 0);} security_context_def
> {if (define_genfs_context(1)) return -1;}
> - | GENFSCON identifier path security_context_def
> + | GENFSCON filesystem path security_context_def
> {if (define_genfs_context(0)) return -1;}
> ;
> ipv4_addr_def : IPV4_ADDR
> @@ -728,6 +729,11 @@ nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; }
> identifier : IDENTIFIER
> { if (insert_id(yytext,0)) return -1; }
> ;
> +filesystem : FILESYSTEM
> + { if (insert_id(yytext,0)) return -1; }
> + | IDENTIFIER
> + { if (insert_id(yytext,0)) return -1; }
> + ;
> path : PATH
> { if (insert_id(yytext,0)) return -1; }
> ;
> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> index 48128a8..65aff8d 100644
> --- a/checkpolicy/policy_scan.l
> +++ b/checkpolicy/policy_scan.l
> @@ -217,6 +217,7 @@ permissive |
> PERMISSIVE { return(PERMISSIVE); }
> "/"({alnum}|[_\.\-/])* { return(PATH); }
> {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
> +{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
> {digit}+|0x{hexval}+ { return(NUMBER); }
> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
> {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-02-09 17:43 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-01-12 21:29 [PATCH] Checkpolicy: Allow filesystem names to start with a digit James Carter
2011-05-17 14:26 ` Steve Lawrence
2012-02-09 17:43 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.