| Message ID | 20220801015721.393211-2-chris.lindee+git@gmail.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [1/2] sepolgen: Update refparser to handle xperm | expand |
On Mon, 1 Aug 2022 at 03:57, <chris.lindee@gmail.com> wrote: > > From: Chris Lindee <chris.lindee+github@gmail.com> > > Extend the grammar to support `allowxperm`, et. al. directives, which > were added in policy version 30 to give more granular control. This > commit adds basic support for the syntax, copying heavily from the > grammar for `allowperm`, et. al. Looks good to me; two comments inline. > Signed-off-by: Chris Lindee <chris.lindee+github@gmail.com> > --- > python/sepolgen/src/sepolgen/refparser.py | 80 +++++++++++++++++++++++ > 1 file changed, 80 insertions(+) > > diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py > index e611637f..1d801f41 100644 > --- a/python/sepolgen/src/sepolgen/refparser.py > +++ b/python/sepolgen/src/sepolgen/refparser.py > @@ -67,6 +67,7 @@ tokens = ( > 'FILENAME', > 'IDENTIFIER', > 'NUMBER', > + 'XNUMBER', > 'PATH', > 'IPV6_ADDR', > # reserved words > @@ -112,6 +113,10 @@ tokens = ( > 'DONTAUDIT', > 'AUDITALLOW', > 'NEVERALLOW', > + 'ALLOWXPERM', > + 'DONTAUDITXPERM', > + 'AUDITALLOWXPERM', > + 'NEVERALLOWXPERM', > 'PERMISSIVE', > 'TYPEBOUNDS', > 'TYPE_TRANSITION', > @@ -179,6 +184,10 @@ reserved = { > 'dontaudit' : 'DONTAUDIT', > 'auditallow' : 'AUDITALLOW', > 'neverallow' : 'NEVERALLOW', > + 'allowxperm' : 'ALLOWXPERM', > + 'dontauditxperm' : 'DONTAUDITXPERM', > + 'auditallowxperm' : 'AUDITALLOWXPERM', > + 'neverallowxperm' : 'NEVERALLOWXPERM', > 'permissive' : 'PERMISSIVE', > 'typebounds' : 'TYPEBOUNDS', > 'type_transition' : 'TYPE_TRANSITION', > @@ -231,6 +240,12 @@ t_PATH = r'/[a-zA-Z0-9)_\.\*/\$]*' > t_ignore = " \t" > > # More complex tokens > +def t_XNUMBER(t): > + r'0x[0-9A-Fa-f]+' > + # Turn hexadecimal into integer > + t.value = int(t.value, 16) > + return t > + > def t_IPV6_ADDR(t): > r'[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:([a-fA-F0-9]|:)*' > # This is a function simply to force it sooner into > @@ -505,6 +520,7 @@ def p_policy(p): > def p_policy_stmt(p): > '''policy_stmt : gen_require > | avrule_def > + | avextrule_def > | typerule_def > | typebound_def > | typeattribute_def > @@ -810,6 +826,26 @@ def p_avrule_def(p): > a.perms = p[6] > p[0] = a > > +def p_avextrule_def(p): > + '''avextrule_def : ALLOWXPERM names names COLON names identifier xperm_set SEMI > + | DONTAUDITXPERM names names COLON names identifier xperm_set SEMI > + | AUDITALLOWXPERM names names COLON names identifier xperm_set SEMI > + | NEVERALLOWXPERM names names COLON names identifier xperm_set SEMI > + ''' > + a = refpolicy.AVExtRule() > + if p[1] == 'dontauditxperm': > + a.rule_type = refpolicy.AVExtRule.DONTAUDITXPERM > + elif p[1] == 'auditallowxperm': > + a.rule_type = refpolicy.AVExtRule.AUDITALLOWXPERM > + elif p[1] == 'neverallowxperm': > + a.rule_type = refpolicy.AVExtRule.NEVERALLOWXPERM > + a.src_types = p[2] > + a.tgt_types = p[3] > + a.obj_classes = p[5] > + a.operation = p[6] > + a.xperms = p[7] > + p[0] = a > + > def p_typerule_def(p): > '''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI > | TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI > @@ -987,6 +1023,50 @@ def p_optional_semi(p): > | empty''' > pass > > +def p_xperm_set(p): > + '''xperm_set : nested_xperm_set > + | TILDE nested_xperm_set > + | xperm_set_base > + | TILDE xperm_set_base maybe include IDENTIFER as option to accept allowxperm $1 $2:$3 ioctl $4; > + ''' > + p[0] = p[-1] > + if len(p) == 3: > + p[0].compliment = True > + > +def p_nested_xperm_set(p): > + '''nested_xperm_set : OBRACE nested_xperm_list CBRACE > + ''' > + p[0] = p[2] > + > +def p_nested_xperm_list(p): > + '''nested_xperm_list : nested_xperm_element > + | nested_xperm_list nested_xperm_element > + ''' > + p[0] = p[1] > + if len(p) == 3: > + p[0].extend(p[2]) > + > +def p_nested_xperm_element(p): > + '''nested_xperm_element : xperm_set_base > + | nested_xperm_set > + ''' > + p[0] = p[1] > + > +def p_xperm_set_base(p): > + '''xperm_set_base : xperm_number > + | xperm_number MINUS xperm_number > + ''' > + p[0] = refpolicy.XpermSet() > + if len(p) == 2: > + p[0].add(p[1]) > + else: > + p[0].add(p[1], p[3]) Single numbers might also be enclosed in braces, so maybe add an option OBRACE xperm_number CBRACE and parsing it via elif p[1] == '{': p[0].add(p[2]) > + > +def p_xperm_number(p): > + '''xperm_number : NUMBER > + | XNUMBER > + ''' > + p[0] = int(p[1]) > > # > # Interface to the parser > -- > 2.37.1 >
diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py index e611637f..1d801f41 100644 --- a/python/sepolgen/src/sepolgen/refparser.py +++ b/python/sepolgen/src/sepolgen/refparser.py @@ -67,6 +67,7 @@ tokens = ( 'FILENAME', 'IDENTIFIER', 'NUMBER', + 'XNUMBER', 'PATH', 'IPV6_ADDR', # reserved words @@ -112,6 +113,10 @@ tokens = ( 'DONTAUDIT', 'AUDITALLOW', 'NEVERALLOW', + 'ALLOWXPERM', + 'DONTAUDITXPERM', + 'AUDITALLOWXPERM', + 'NEVERALLOWXPERM', 'PERMISSIVE', 'TYPEBOUNDS', 'TYPE_TRANSITION', @@ -179,6 +184,10 @@ reserved = { 'dontaudit' : 'DONTAUDIT', 'auditallow' : 'AUDITALLOW', 'neverallow' : 'NEVERALLOW', + 'allowxperm' : 'ALLOWXPERM', + 'dontauditxperm' : 'DONTAUDITXPERM', + 'auditallowxperm' : 'AUDITALLOWXPERM', + 'neverallowxperm' : 'NEVERALLOWXPERM', 'permissive' : 'PERMISSIVE', 'typebounds' : 'TYPEBOUNDS', 'type_transition' : 'TYPE_TRANSITION', @@ -231,6 +240,12 @@ t_PATH = r'/[a-zA-Z0-9)_\.\*/\$]*' t_ignore = " \t" # More complex tokens +def t_XNUMBER(t): + r'0x[0-9A-Fa-f]+' + # Turn hexadecimal into integer + t.value = int(t.value, 16) + return t + def t_IPV6_ADDR(t): r'[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:([a-fA-F0-9]|:)*' # This is a function simply to force it sooner into @@ -505,6 +520,7 @@ def p_policy(p): def p_policy_stmt(p): '''policy_stmt : gen_require | avrule_def + | avextrule_def | typerule_def | typebound_def | typeattribute_def @@ -810,6 +826,26 @@ def p_avrule_def(p): a.perms = p[6] p[0] = a +def p_avextrule_def(p): + '''avextrule_def : ALLOWXPERM names names COLON names identifier xperm_set SEMI + | DONTAUDITXPERM names names COLON names identifier xperm_set SEMI + | AUDITALLOWXPERM names names COLON names identifier xperm_set SEMI + | NEVERALLOWXPERM names names COLON names identifier xperm_set SEMI + ''' + a = refpolicy.AVExtRule() + if p[1] == 'dontauditxperm': + a.rule_type = refpolicy.AVExtRule.DONTAUDITXPERM + elif p[1] == 'auditallowxperm': + a.rule_type = refpolicy.AVExtRule.AUDITALLOWXPERM + elif p[1] == 'neverallowxperm': + a.rule_type = refpolicy.AVExtRule.NEVERALLOWXPERM + a.src_types = p[2] + a.tgt_types = p[3] + a.obj_classes = p[5] + a.operation = p[6] + a.xperms = p[7] + p[0] = a + def p_typerule_def(p): '''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI | TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI @@ -987,6 +1023,50 @@ def p_optional_semi(p): | empty''' pass +def p_xperm_set(p): + '''xperm_set : nested_xperm_set + | TILDE nested_xperm_set + | xperm_set_base + | TILDE xperm_set_base + ''' + p[0] = p[-1] + if len(p) == 3: + p[0].compliment = True + +def p_nested_xperm_set(p): + '''nested_xperm_set : OBRACE nested_xperm_list CBRACE + ''' + p[0] = p[2] + +def p_nested_xperm_list(p): + '''nested_xperm_list : nested_xperm_element + | nested_xperm_list nested_xperm_element + ''' + p[0] = p[1] + if len(p) == 3: + p[0].extend(p[2]) + +def p_nested_xperm_element(p): + '''nested_xperm_element : xperm_set_base + | nested_xperm_set + ''' + p[0] = p[1] + +def p_xperm_set_base(p): + '''xperm_set_base : xperm_number + | xperm_number MINUS xperm_number + ''' + p[0] = refpolicy.XpermSet() + if len(p) == 2: + p[0].add(p[1]) + else: + p[0].add(p[1], p[3]) + +def p_xperm_number(p): + '''xperm_number : NUMBER + | XNUMBER + ''' + p[0] = int(p[1]) # # Interface to the parser