From: chris.lindee@gmail.com
To: selinux@vger.kernel.org
Cc: Chris Lindee <chris.lindee+github@gmail.com>
Subject: [PATCH 1/2] sepolgen: Update refparser to handle xperm
Date: Sun, 31 Jul 2022 20:57:20 -0500 [thread overview]
Message-ID: <20220801015721.393211-2-chris.lindee+git@gmail.com> (raw)
In-Reply-To: <20220801015721.393211-1-chris.lindee+git@gmail.com>
From: Chris Lindee <chris.lindee+github@gmail.com>
Extend the grammar to support `allowxperm`, et. al. directives, which
were added in policy version 30 to give more granular control. This
commit adds basic support for the syntax, copying heavily from the
grammar for `allowperm`, et. al.
Signed-off-by: Chris Lindee <chris.lindee+github@gmail.com>
---
python/sepolgen/src/sepolgen/refparser.py | 80 +++++++++++++++++++++++
1 file changed, 80 insertions(+)
diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
index e611637f..1d801f41 100644
--- a/python/sepolgen/src/sepolgen/refparser.py
+++ b/python/sepolgen/src/sepolgen/refparser.py
@@ -67,6 +67,7 @@ tokens = (
'FILENAME',
'IDENTIFIER',
'NUMBER',
+ 'XNUMBER',
'PATH',
'IPV6_ADDR',
# reserved words
@@ -112,6 +113,10 @@ tokens = (
'DONTAUDIT',
'AUDITALLOW',
'NEVERALLOW',
+ 'ALLOWXPERM',
+ 'DONTAUDITXPERM',
+ 'AUDITALLOWXPERM',
+ 'NEVERALLOWXPERM',
'PERMISSIVE',
'TYPEBOUNDS',
'TYPE_TRANSITION',
@@ -179,6 +184,10 @@ reserved = {
'dontaudit' : 'DONTAUDIT',
'auditallow' : 'AUDITALLOW',
'neverallow' : 'NEVERALLOW',
+ 'allowxperm' : 'ALLOWXPERM',
+ 'dontauditxperm' : 'DONTAUDITXPERM',
+ 'auditallowxperm' : 'AUDITALLOWXPERM',
+ 'neverallowxperm' : 'NEVERALLOWXPERM',
'permissive' : 'PERMISSIVE',
'typebounds' : 'TYPEBOUNDS',
'type_transition' : 'TYPE_TRANSITION',
@@ -231,6 +240,12 @@ t_PATH = r'/[a-zA-Z0-9)_\.\*/\$]*'
t_ignore = " \t"
# More complex tokens
+def t_XNUMBER(t):
+ r'0x[0-9A-Fa-f]+'
+ # Turn hexadecimal into integer
+ t.value = int(t.value, 16)
+ return t
+
def t_IPV6_ADDR(t):
r'[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:([a-fA-F0-9]|:)*'
# This is a function simply to force it sooner into
@@ -505,6 +520,7 @@ def p_policy(p):
def p_policy_stmt(p):
'''policy_stmt : gen_require
| avrule_def
+ | avextrule_def
| typerule_def
| typebound_def
| typeattribute_def
@@ -810,6 +826,26 @@ def p_avrule_def(p):
a.perms = p[6]
p[0] = a
+def p_avextrule_def(p):
+ '''avextrule_def : ALLOWXPERM names names COLON names identifier xperm_set SEMI
+ | DONTAUDITXPERM names names COLON names identifier xperm_set SEMI
+ | AUDITALLOWXPERM names names COLON names identifier xperm_set SEMI
+ | NEVERALLOWXPERM names names COLON names identifier xperm_set SEMI
+ '''
+ a = refpolicy.AVExtRule()
+ if p[1] == 'dontauditxperm':
+ a.rule_type = refpolicy.AVExtRule.DONTAUDITXPERM
+ elif p[1] == 'auditallowxperm':
+ a.rule_type = refpolicy.AVExtRule.AUDITALLOWXPERM
+ elif p[1] == 'neverallowxperm':
+ a.rule_type = refpolicy.AVExtRule.NEVERALLOWXPERM
+ a.src_types = p[2]
+ a.tgt_types = p[3]
+ a.obj_classes = p[5]
+ a.operation = p[6]
+ a.xperms = p[7]
+ p[0] = a
+
def p_typerule_def(p):
'''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI
| TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI
@@ -987,6 +1023,50 @@ def p_optional_semi(p):
| empty'''
pass
+def p_xperm_set(p):
+ '''xperm_set : nested_xperm_set
+ | TILDE nested_xperm_set
+ | xperm_set_base
+ | TILDE xperm_set_base
+ '''
+ p[0] = p[-1]
+ if len(p) == 3:
+ p[0].compliment = True
+
+def p_nested_xperm_set(p):
+ '''nested_xperm_set : OBRACE nested_xperm_list CBRACE
+ '''
+ p[0] = p[2]
+
+def p_nested_xperm_list(p):
+ '''nested_xperm_list : nested_xperm_element
+ | nested_xperm_list nested_xperm_element
+ '''
+ p[0] = p[1]
+ if len(p) == 3:
+ p[0].extend(p[2])
+
+def p_nested_xperm_element(p):
+ '''nested_xperm_element : xperm_set_base
+ | nested_xperm_set
+ '''
+ p[0] = p[1]
+
+def p_xperm_set_base(p):
+ '''xperm_set_base : xperm_number
+ | xperm_number MINUS xperm_number
+ '''
+ p[0] = refpolicy.XpermSet()
+ if len(p) == 2:
+ p[0].add(p[1])
+ else:
+ p[0].add(p[1], p[3])
+
+def p_xperm_number(p):
+ '''xperm_number : NUMBER
+ | XNUMBER
+ '''
+ p[0] = int(p[1])
#
# Interface to the parser
--
2.37.1
next prev parent reply other threads:[~2022-08-01 1:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-01 1:57 Adjust sepolgen grammar to support allowxperm, et. al chris.lindee
2022-08-01 1:57 ` chris.lindee [this message]
2022-12-09 19:20 ` [PATCH 1/2] sepolgen: Update refparser to handle xperm Christian Göttsche
2022-08-01 1:57 ` [PATCH 2/2] sepolgen: Support named xperms chris.lindee
2022-10-25 20:49 ` Adjust sepolgen grammar to support allowxperm, et. al James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220801015721.393211-2-chris.lindee+git@gmail.com \
--to=chris.lindee@gmail.com \
--cc=chris.lindee+github@gmail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).