Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1 | |
| 2 | /* |
| 3 | * Author : Stephen Smalley, <sds@epoch.ncsc.mil> |
| 4 | */ |
| 5 | |
| 6 | /* |
| 7 | * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> |
| 8 | * |
| 9 | * Support for enhanced MLS infrastructure. |
| 10 | * |
| 11 | * Updated: David Caplan, <dac@tresys.com> |
| 12 | * |
| 13 | * Added conditional policy language extensions |
| 14 | * |
| 15 | * Updated: Joshua Brindle <jbrindle@tresys.com> |
| 16 | * Karl MacMillan <kmacmillan@mentalrootkit.com> |
| 17 | * Jason Tang <jtang@tresys.com> |
| 18 | * |
| 19 | * Added support for binary policy modules |
| 20 | * |
| 21 | * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. |
| 22 | * Copyright (C) 2003 - 2008 Tresys Technology, LLC |
| 23 | * Copyright (C) 2007 Red Hat Inc. |
| 24 | * This program is free software; you can redistribute it and/or modify |
| 25 | * it under the terms of the GNU General Public License as published by |
| 26 | * the Free Software Foundation, version 2. |
| 27 | */ |
| 28 | |
| 29 | /* FLASK */ |
| 30 | |
| 31 | %{ |
| 32 | #include <sys/types.h> |
| 33 | #include <assert.h> |
| 34 | #include <stdarg.h> |
| 35 | #include <stdint.h> |
| 36 | #include <stdio.h> |
| 37 | #include <stdlib.h> |
| 38 | #include <string.h> |
| 39 | #include <sys/socket.h> |
| 40 | #include <netinet/in.h> |
| 41 | #include <arpa/inet.h> |
| 42 | #include <stdlib.h> |
| 43 | |
| 44 | #include <sepol/policydb/expand.h> |
| 45 | #include <sepol/policydb/policydb.h> |
| 46 | #include <sepol/policydb/services.h> |
| 47 | #include <sepol/policydb/conditional.h> |
| 48 | #include <sepol/policydb/flask.h> |
| 49 | #include <sepol/policydb/hierarchy.h> |
| 50 | #include <sepol/policydb/polcaps.h> |
| 51 | #include "queue.h" |
| 52 | #include "checkpolicy.h" |
| 53 | #include "module_compiler.h" |
| 54 | #include "policy_define.h" |
| 55 | |
| 56 | extern policydb_t *policydbp; |
| 57 | extern unsigned int pass; |
| 58 | |
| 59 | extern char yytext[]; |
| 60 | extern int yylex(void); |
Nicolas Iooss | 832e701 | 2014-09-14 23:41:39 +0200 | [diff] [blame] | 61 | extern int yywarn(const char *msg); |
| 62 | extern int yyerror(const char *msg); |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 63 | |
Nicolas Iooss | c4a4a1a | 2014-09-14 23:41:49 +0200 | [diff] [blame] | 64 | typedef int (* require_func_t)(int pass); |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 65 | |
| 66 | %} |
| 67 | |
| 68 | %union { |
| 69 | unsigned int val; |
Daniel De Graaf | 82030de | 2015-03-17 16:43:23 -0400 | [diff] [blame] | 70 | uint64_t val64; |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 71 | uintptr_t valptr; |
| 72 | void *ptr; |
| 73 | require_func_t require_func; |
| 74 | } |
| 75 | |
| 76 | %type <ptr> cond_expr cond_expr_prim cond_pol_list cond_else |
| 77 | %type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def |
| 78 | %type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def |
| 79 | %type <ptr> role_def roles |
| 80 | %type <valptr> cexpr cexpr_prim op role_mls_op |
| 81 | %type <val> ipv4_addr_def number |
Daniel De Graaf | 82030de | 2015-03-17 16:43:23 -0400 | [diff] [blame] | 82 | %type <val64> number64 |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 83 | %type <require_func> require_decl_def |
| 84 | |
| 85 | %token PATH |
Daniel De Graaf | aab2d9f | 2015-03-17 16:43:22 -0400 | [diff] [blame] | 86 | %token QPATH |
Steve Lawrence | b42e15f | 2011-05-16 08:40:00 -0400 | [diff] [blame] | 87 | %token FILENAME |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 88 | %token CLONE |
| 89 | %token COMMON |
| 90 | %token CLASS |
| 91 | %token CONSTRAIN |
| 92 | %token VALIDATETRANS |
| 93 | %token INHERITS |
| 94 | %token SID |
| 95 | %token ROLE |
Harry Ciao | 16675b7 | 2011-07-25 09:23:54 +0800 | [diff] [blame] | 96 | %token ROLEATTRIBUTE |
| 97 | %token ATTRIBUTE_ROLE |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 98 | %token ROLES |
| 99 | %token TYPEALIAS |
| 100 | %token TYPEATTRIBUTE |
Joshua Brindle | 4572840 | 2008-10-08 06:56:51 -0400 | [diff] [blame] | 101 | %token TYPEBOUNDS |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 102 | %token TYPE |
| 103 | %token TYPES |
| 104 | %token ALIAS |
| 105 | %token ATTRIBUTE |
| 106 | %token BOOL |
Harry Ciao | 80f26c5 | 2011-09-01 11:29:41 +0800 | [diff] [blame] | 107 | %token TUNABLE |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 108 | %token IF |
| 109 | %token ELSE |
| 110 | %token TYPE_TRANSITION |
| 111 | %token TYPE_MEMBER |
| 112 | %token TYPE_CHANGE |
| 113 | %token ROLE_TRANSITION |
| 114 | %token RANGE_TRANSITION |
| 115 | %token SENSITIVITY |
| 116 | %token DOMINANCE |
| 117 | %token DOM DOMBY INCOMP |
| 118 | %token CATEGORY |
| 119 | %token LEVEL |
| 120 | %token RANGE |
| 121 | %token MLSCONSTRAIN |
| 122 | %token MLSVALIDATETRANS |
| 123 | %token USER |
| 124 | %token NEVERALLOW |
| 125 | %token ALLOW |
| 126 | %token AUDITALLOW |
| 127 | %token AUDITDENY |
| 128 | %token DONTAUDIT |
| 129 | %token SOURCE |
| 130 | %token TARGET |
| 131 | %token SAMEUSER |
| 132 | %token FSCON PORTCON NETIFCON NODECON |
Daniel De Graaf | f029067 | 2015-03-17 16:43:24 -0400 | [diff] [blame] | 133 | %token PIRQCON IOMEMCON IOPORTCON PCIDEVICECON DEVICETREECON |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 134 | %token FSUSEXATTR FSUSETASK FSUSETRANS |
| 135 | %token GENFSCON |
| 136 | %token U1 U2 U3 R1 R2 R3 T1 T2 T3 L1 L2 H1 H2 |
| 137 | %token NOT AND OR XOR |
| 138 | %token CTRUE CFALSE |
| 139 | %token IDENTIFIER |
| 140 | %token NUMBER |
| 141 | %token EQUALS |
| 142 | %token NOTEQUAL |
| 143 | %token IPV4_ADDR |
| 144 | %token IPV6_ADDR |
| 145 | %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL |
| 146 | %token POLICYCAP |
| 147 | %token PERMISSIVE |
James Carter | 17ac87c | 2011-01-12 16:29:02 -0500 | [diff] [blame] | 148 | %token FILESYSTEM |
Eric Paris | 693f524 | 2012-12-18 11:41:25 -0500 | [diff] [blame] | 149 | %token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE |
Eric Paris | 09c783c | 2011-12-05 13:28:51 -0500 | [diff] [blame] | 150 | %token LOW_HIGH LOW HIGH |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 151 | |
| 152 | %left OR |
| 153 | %left XOR |
| 154 | %left AND |
| 155 | %right NOT |
| 156 | %left EQUALS NOTEQUAL |
| 157 | %% |
| 158 | policy : base_policy |
| 159 | | module_policy |
| 160 | ; |
| 161 | base_policy : { if (define_policy(pass, 0) == -1) return -1; } |
| 162 | classes initial_sids access_vectors |
| 163 | { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; } |
| 164 | else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }} |
Eric Paris | 09c783c | 2011-12-05 13:28:51 -0500 | [diff] [blame] | 165 | opt_default_rules opt_mls te_rbac users opt_constraints |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 166 | { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;} |
| 167 | else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}} |
Paul Nuzzi | 79d10a8 | 2009-09-29 10:06:26 -0400 | [diff] [blame] | 168 | initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 169 | ; |
| 170 | classes : class_def |
| 171 | | classes class_def |
| 172 | ; |
| 173 | class_def : CLASS identifier |
| 174 | {if (define_class()) return -1;} |
| 175 | ; |
| 176 | initial_sids : initial_sid_def |
| 177 | | initial_sids initial_sid_def |
| 178 | ; |
| 179 | initial_sid_def : SID identifier |
| 180 | {if (define_initial_sid()) return -1;} |
| 181 | ; |
| 182 | access_vectors : opt_common_perms av_perms |
| 183 | ; |
| 184 | opt_common_perms : common_perms |
| 185 | | |
| 186 | ; |
| 187 | common_perms : common_perms_def |
| 188 | | common_perms common_perms_def |
| 189 | ; |
| 190 | common_perms_def : COMMON identifier '{' identifier_list '}' |
| 191 | {if (define_common_perms()) return -1;} |
| 192 | ; |
| 193 | av_perms : av_perms_def |
| 194 | | av_perms av_perms_def |
| 195 | ; |
| 196 | av_perms_def : CLASS identifier '{' identifier_list '}' |
| 197 | {if (define_av_perms(FALSE)) return -1;} |
| 198 | | CLASS identifier INHERITS identifier |
| 199 | {if (define_av_perms(TRUE)) return -1;} |
| 200 | | CLASS identifier INHERITS identifier '{' identifier_list '}' |
| 201 | {if (define_av_perms(TRUE)) return -1;} |
| 202 | ; |
Eric Paris | 09c783c | 2011-12-05 13:28:51 -0500 | [diff] [blame] | 203 | opt_default_rules : default_rules |
| 204 | | |
| 205 | ; |
| 206 | default_rules : default_user_def |
| 207 | | default_role_def |
Eric Paris | 693f524 | 2012-12-18 11:41:25 -0500 | [diff] [blame] | 208 | | default_type_def |
Eric Paris | 09c783c | 2011-12-05 13:28:51 -0500 | [diff] [blame] | 209 | | default_range_def |
| 210 | | default_rules default_user_def |
| 211 | | default_rules default_role_def |
Eric Paris | 693f524 | 2012-12-18 11:41:25 -0500 | [diff] [blame] | 212 | | default_rules default_type_def |
Eric Paris | 09c783c | 2011-12-05 13:28:51 -0500 | [diff] [blame] | 213 | | default_rules default_range_def |
| 214 | ; |
| 215 | default_user_def : DEFAULT_USER names SOURCE ';' |
| 216 | {if (define_default_user(DEFAULT_SOURCE)) return -1; } |
| 217 | | DEFAULT_USER names TARGET ';' |
| 218 | {if (define_default_user(DEFAULT_TARGET)) return -1; } |
| 219 | ; |
| 220 | default_role_def : DEFAULT_ROLE names SOURCE ';' |
| 221 | {if (define_default_role(DEFAULT_SOURCE)) return -1; } |
| 222 | | DEFAULT_ROLE names TARGET ';' |
| 223 | {if (define_default_role(DEFAULT_TARGET)) return -1; } |
| 224 | ; |
Eric Paris | 693f524 | 2012-12-18 11:41:25 -0500 | [diff] [blame] | 225 | default_type_def : DEFAULT_TYPE names SOURCE ';' |
| 226 | {if (define_default_type(DEFAULT_SOURCE)) return -1; } |
| 227 | | DEFAULT_TYPE names TARGET ';' |
| 228 | {if (define_default_type(DEFAULT_TARGET)) return -1; } |
| 229 | ; |
Eric Paris | 09c783c | 2011-12-05 13:28:51 -0500 | [diff] [blame] | 230 | default_range_def : DEFAULT_RANGE names SOURCE LOW ';' |
| 231 | {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; } |
| 232 | | DEFAULT_RANGE names SOURCE HIGH ';' |
| 233 | {if (define_default_range(DEFAULT_SOURCE_HIGH)) return -1; } |
| 234 | | DEFAULT_RANGE names SOURCE LOW_HIGH ';' |
| 235 | {if (define_default_range(DEFAULT_SOURCE_LOW_HIGH)) return -1; } |
| 236 | | DEFAULT_RANGE names TARGET LOW ';' |
| 237 | {if (define_default_range(DEFAULT_TARGET_LOW)) return -1; } |
| 238 | | DEFAULT_RANGE names TARGET HIGH ';' |
| 239 | {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; } |
| 240 | | DEFAULT_RANGE names TARGET LOW_HIGH ';' |
| 241 | {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; } |
| 242 | ; |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 243 | opt_mls : mls |
| 244 | | |
| 245 | ; |
| 246 | mls : sensitivities dominance opt_categories levels mlspolicy |
| 247 | ; |
| 248 | sensitivities : sensitivity_def |
| 249 | | sensitivities sensitivity_def |
| 250 | ; |
| 251 | sensitivity_def : SENSITIVITY identifier alias_def ';' |
| 252 | {if (define_sens()) return -1;} |
| 253 | | SENSITIVITY identifier ';' |
| 254 | {if (define_sens()) return -1;} |
| 255 | ; |
| 256 | alias_def : ALIAS names |
| 257 | ; |
| 258 | dominance : DOMINANCE identifier |
| 259 | {if (define_dominance()) return -1;} |
| 260 | | DOMINANCE '{' identifier_list '}' |
| 261 | {if (define_dominance()) return -1;} |
| 262 | ; |
| 263 | opt_categories : categories |
| 264 | | |
| 265 | ; |
| 266 | categories : category_def |
| 267 | | categories category_def |
| 268 | ; |
| 269 | category_def : CATEGORY identifier alias_def ';' |
| 270 | {if (define_category()) return -1;} |
| 271 | | CATEGORY identifier ';' |
| 272 | {if (define_category()) return -1;} |
| 273 | ; |
| 274 | levels : level_def |
| 275 | | levels level_def |
| 276 | ; |
| 277 | level_def : LEVEL identifier ':' id_comma_list ';' |
| 278 | {if (define_level()) return -1;} |
| 279 | | LEVEL identifier ';' |
| 280 | {if (define_level()) return -1;} |
| 281 | ; |
| 282 | mlspolicy : mlspolicy_decl |
| 283 | | mlspolicy mlspolicy_decl |
| 284 | ; |
| 285 | mlspolicy_decl : mlsconstraint_def |
| 286 | | mlsvalidatetrans_def |
| 287 | ; |
| 288 | mlsconstraint_def : MLSCONSTRAIN names names cexpr ';' |
| 289 | { if (define_constraint((constraint_expr_t*)$4)) return -1; } |
| 290 | ; |
| 291 | mlsvalidatetrans_def : MLSVALIDATETRANS names cexpr ';' |
| 292 | { if (define_validatetrans((constraint_expr_t*)$3)) return -1; } |
| 293 | ; |
| 294 | te_rbac : te_rbac_decl |
| 295 | | te_rbac te_rbac_decl |
| 296 | ; |
| 297 | te_rbac_decl : te_decl |
| 298 | | rbac_decl |
| 299 | | cond_stmt_def |
| 300 | | optional_block |
| 301 | | policycap_def |
| 302 | | ';' |
| 303 | ; |
Harry Ciao | 16675b7 | 2011-07-25 09:23:54 +0800 | [diff] [blame] | 304 | rbac_decl : attribute_role_def |
| 305 | | role_type_def |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 306 | | role_dominance |
| 307 | | role_trans_def |
| 308 | | role_allow_def |
Harry Ciao | 16675b7 | 2011-07-25 09:23:54 +0800 | [diff] [blame] | 309 | | roleattribute_def |
| 310 | | role_attr_def |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 311 | ; |
| 312 | te_decl : attribute_def |
| 313 | | type_def |
| 314 | | typealias_def |
| 315 | | typeattribute_def |
Joshua Brindle | 4572840 | 2008-10-08 06:56:51 -0400 | [diff] [blame] | 316 | | typebounds_def |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 317 | | bool_def |
Harry Ciao | 80f26c5 | 2011-09-01 11:29:41 +0800 | [diff] [blame] | 318 | | tunable_def |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 319 | | transition_def |
| 320 | | range_trans_def |
| 321 | | te_avtab_def |
| 322 | | permissive_def |
| 323 | ; |
| 324 | attribute_def : ATTRIBUTE identifier ';' |
| 325 | { if (define_attrib()) return -1;} |
| 326 | ; |
| 327 | type_def : TYPE identifier alias_def opt_attr_list ';' |
| 328 | {if (define_type(1)) return -1;} |
| 329 | | TYPE identifier opt_attr_list ';' |
| 330 | {if (define_type(0)) return -1;} |
| 331 | ; |
| 332 | typealias_def : TYPEALIAS identifier alias_def ';' |
| 333 | {if (define_typealias()) return -1;} |
| 334 | ; |
| 335 | typeattribute_def : TYPEATTRIBUTE identifier id_comma_list ';' |
| 336 | {if (define_typeattribute()) return -1;} |
| 337 | ; |
Joshua Brindle | 4572840 | 2008-10-08 06:56:51 -0400 | [diff] [blame] | 338 | typebounds_def : TYPEBOUNDS identifier id_comma_list ';' |
| 339 | {if (define_typebounds()) return -1;} |
| 340 | ; |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 341 | opt_attr_list : ',' id_comma_list |
| 342 | | |
| 343 | ; |
| 344 | bool_def : BOOL identifier bool_val ';' |
Harry Ciao | 80f26c5 | 2011-09-01 11:29:41 +0800 | [diff] [blame] | 345 | { if (define_bool_tunable(0)) return -1; } |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 346 | ; |
Harry Ciao | 80f26c5 | 2011-09-01 11:29:41 +0800 | [diff] [blame] | 347 | tunable_def : TUNABLE identifier bool_val ';' |
| 348 | { if (define_bool_tunable(1)) return -1; } |
| 349 | ; |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 350 | bool_val : CTRUE |
| 351 | { if (insert_id("T",0)) return -1; } |
| 352 | | CFALSE |
| 353 | { if (insert_id("F",0)) return -1; } |
| 354 | ; |
| 355 | cond_stmt_def : IF cond_expr '{' cond_pol_list '}' cond_else |
| 356 | { if (pass == 2) { if (define_conditional((cond_expr_t*)$2, (avrule_t*)$4, (avrule_t*)$6) < 0) return -1; }} |
| 357 | ; |
| 358 | cond_else : ELSE '{' cond_pol_list '}' |
| 359 | { $$ = $3; } |
| 360 | | /* empty */ |
| 361 | { $$ = NULL; } |
Scapelli | 387dc63 | 2014-09-18 15:47:45 +0200 | [diff] [blame] | 362 | ; |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 363 | cond_expr : '(' cond_expr ')' |
| 364 | { $$ = $2;} |
| 365 | | NOT cond_expr |
| 366 | { $$ = define_cond_expr(COND_NOT, $2, 0); |
| 367 | if ($$ == 0) return -1; } |
| 368 | | cond_expr AND cond_expr |
| 369 | { $$ = define_cond_expr(COND_AND, $1, $3); |
| 370 | if ($$ == 0) return -1; } |
| 371 | | cond_expr OR cond_expr |
| 372 | { $$ = define_cond_expr(COND_OR, $1, $3); |
| 373 | if ($$ == 0) return -1; } |
| 374 | | cond_expr XOR cond_expr |
| 375 | { $$ = define_cond_expr(COND_XOR, $1, $3); |
| 376 | if ($$ == 0) return -1; } |
| 377 | | cond_expr EQUALS cond_expr |
| 378 | { $$ = define_cond_expr(COND_EQ, $1, $3); |
| 379 | if ($$ == 0) return -1; } |
| 380 | | cond_expr NOTEQUAL cond_expr |
| 381 | { $$ = define_cond_expr(COND_NEQ, $1, $3); |
| 382 | if ($$ == 0) return -1; } |
| 383 | | cond_expr_prim |
| 384 | { $$ = $1; } |
| 385 | ; |
| 386 | cond_expr_prim : identifier |
| 387 | { $$ = define_cond_expr(COND_BOOL,0, 0); |
| 388 | if ($$ == COND_ERR) return -1; } |
| 389 | ; |
| 390 | cond_pol_list : cond_pol_list cond_rule_def |
| 391 | { $$ = define_cond_pol_list((avrule_t *)$1, (avrule_t *)$2); } |
| 392 | | /* empty */ |
| 393 | { $$ = NULL; } |
| 394 | ; |
| 395 | cond_rule_def : cond_transition_def |
| 396 | { $$ = $1; } |
| 397 | | cond_te_avtab_def |
| 398 | { $$ = $1; } |
| 399 | | require_block |
| 400 | { $$ = NULL; } |
| 401 | ; |
Steve Lawrence | b42e15f | 2011-05-16 08:40:00 -0400 | [diff] [blame] | 402 | cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' |
Eric Paris | 516cb2a | 2011-03-28 14:00:19 -0400 | [diff] [blame] | 403 | { $$ = define_cond_filename_trans() ; |
| 404 | if ($$ == COND_ERR) return -1;} |
| 405 | | TYPE_TRANSITION names names ':' names identifier ';' |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 406 | { $$ = define_cond_compute_type(AVRULE_TRANSITION) ; |
| 407 | if ($$ == COND_ERR) return -1;} |
| 408 | | TYPE_MEMBER names names ':' names identifier ';' |
| 409 | { $$ = define_cond_compute_type(AVRULE_MEMBER) ; |
| 410 | if ($$ == COND_ERR) return -1;} |
| 411 | | TYPE_CHANGE names names ':' names identifier ';' |
| 412 | { $$ = define_cond_compute_type(AVRULE_CHANGE) ; |
| 413 | if ($$ == COND_ERR) return -1;} |
| 414 | ; |
| 415 | cond_te_avtab_def : cond_allow_def |
| 416 | { $$ = $1; } |
| 417 | | cond_auditallow_def |
| 418 | { $$ = $1; } |
| 419 | | cond_auditdeny_def |
| 420 | { $$ = $1; } |
| 421 | | cond_dontaudit_def |
| 422 | { $$ = $1; } |
| 423 | ; |
| 424 | cond_allow_def : ALLOW names names ':' names names ';' |
| 425 | { $$ = define_cond_te_avtab(AVRULE_ALLOWED) ; |
| 426 | if ($$ == COND_ERR) return -1; } |
| 427 | ; |
| 428 | cond_auditallow_def : AUDITALLOW names names ':' names names ';' |
| 429 | { $$ = define_cond_te_avtab(AVRULE_AUDITALLOW) ; |
| 430 | if ($$ == COND_ERR) return -1; } |
| 431 | ; |
| 432 | cond_auditdeny_def : AUDITDENY names names ':' names names ';' |
| 433 | { $$ = define_cond_te_avtab(AVRULE_AUDITDENY) ; |
| 434 | if ($$ == COND_ERR) return -1; } |
| 435 | ; |
| 436 | cond_dontaudit_def : DONTAUDIT names names ':' names names ';' |
| 437 | { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT); |
| 438 | if ($$ == COND_ERR) return -1; } |
| 439 | ; |
Eric Paris | fdeecca | 2011-11-02 13:03:59 -0400 | [diff] [blame] | 440 | ; |
Steve Lawrence | b42e15f | 2011-05-16 08:40:00 -0400 | [diff] [blame] | 441 | transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' |
Steve Lawrence | cb271f7 | 2011-05-16 08:38:37 -0400 | [diff] [blame] | 442 | {if (define_filename_trans()) return -1; } |
| 443 | | TYPE_TRANSITION names names ':' names identifier ';' |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 444 | {if (define_compute_type(AVRULE_TRANSITION)) return -1;} |
| 445 | | TYPE_MEMBER names names ':' names identifier ';' |
| 446 | {if (define_compute_type(AVRULE_MEMBER)) return -1;} |
| 447 | | TYPE_CHANGE names names ':' names identifier ';' |
| 448 | {if (define_compute_type(AVRULE_CHANGE)) return -1;} |
| 449 | ; |
| 450 | range_trans_def : RANGE_TRANSITION names names mls_range_def ';' |
| 451 | { if (define_range_trans(0)) return -1; } |
| 452 | | RANGE_TRANSITION names names ':' names mls_range_def ';' |
| 453 | { if (define_range_trans(1)) return -1; } |
| 454 | ; |
| 455 | te_avtab_def : allow_def |
| 456 | | auditallow_def |
| 457 | | auditdeny_def |
| 458 | | dontaudit_def |
| 459 | | neverallow_def |
Jeff Vander Stoep | 80bc7ee | 2015-04-22 13:53:25 -0700 | [diff] [blame] | 460 | | operation_allow_def |
| 461 | | operation_auditallow_def |
| 462 | | operation_dontaudit_def |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 463 | ; |
| 464 | allow_def : ALLOW names names ':' names names ';' |
| 465 | {if (define_te_avtab(AVRULE_ALLOWED)) return -1; } |
| 466 | ; |
| 467 | auditallow_def : AUDITALLOW names names ':' names names ';' |
| 468 | {if (define_te_avtab(AVRULE_AUDITALLOW)) return -1; } |
| 469 | ; |
| 470 | auditdeny_def : AUDITDENY names names ':' names names ';' |
| 471 | {if (define_te_avtab(AVRULE_AUDITDENY)) return -1; } |
| 472 | ; |
| 473 | dontaudit_def : DONTAUDIT names names ':' names names ';' |
| 474 | {if (define_te_avtab(AVRULE_DONTAUDIT)) return -1; } |
| 475 | ; |
| 476 | neverallow_def : NEVERALLOW names names ':' names names ';' |
| 477 | {if (define_te_avtab(AVRULE_NEVERALLOW)) return -1; } |
| 478 | ; |
Jeff Vander Stoep | 80bc7ee | 2015-04-22 13:53:25 -0700 | [diff] [blame] | 479 | operation_allow_def : ALLOW names names ':' names operations ';' |
| 480 | {if (define_te_avtab_operation(AVRULE_OPNUM_ALLOWED)) return -1; } |
| 481 | ; |
| 482 | operation_auditallow_def: AUDITALLOW names names ':' names operations ';' |
| 483 | {if (define_te_avtab_operation(AVRULE_OPNUM_AUDITALLOW)) return -1; } |
| 484 | ; |
| 485 | operation_dontaudit_def : DONTAUDIT names names ':' names operations ';' |
| 486 | {if (define_te_avtab_operation(AVRULE_OPNUM_DONTAUDIT)) return -1; } |
| 487 | ; |
Harry Ciao | 16675b7 | 2011-07-25 09:23:54 +0800 | [diff] [blame] | 488 | attribute_role_def : ATTRIBUTE_ROLE identifier ';' |
| 489 | {if (define_attrib_role()) return -1; } |
Dan Walsh | 5619635 | 2011-08-09 10:28:38 -0400 | [diff] [blame] | 490 | ; |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 491 | role_type_def : ROLE identifier TYPES names ';' |
| 492 | {if (define_role_types()) return -1;} |
Harry Ciao | 16675b7 | 2011-07-25 09:23:54 +0800 | [diff] [blame] | 493 | ; |
| 494 | role_attr_def : ROLE identifier opt_attr_list ';' |
| 495 | {if (define_role_attr()) return -1;} |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 496 | ; |
| 497 | role_dominance : DOMINANCE '{' roles '}' |
| 498 | ; |
| 499 | role_trans_def : ROLE_TRANSITION names names identifier ';' |
Harry Ciao | e95f358 | 2011-03-25 13:51:59 +0800 | [diff] [blame] | 500 | {if (define_role_trans(0)) return -1; } |
| 501 | | ROLE_TRANSITION names names ':' names identifier ';' |
| 502 | {if (define_role_trans(1)) return -1;} |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 503 | ; |
| 504 | role_allow_def : ALLOW names names ';' |
| 505 | {if (define_role_allow()) return -1; } |
| 506 | ; |
| 507 | roles : role_def |
| 508 | { $$ = $1; } |
| 509 | | roles role_def |
| 510 | { $$ = merge_roles_dom((role_datum_t*)$1, (role_datum_t*)$2); if ($$ == 0) return -1;} |
| 511 | ; |
| 512 | role_def : ROLE identifier_push ';' |
| 513 | {$$ = define_role_dom(NULL); if ($$ == 0) return -1;} |
| 514 | | ROLE identifier_push '{' roles '}' |
| 515 | {$$ = define_role_dom((role_datum_t*)$4); if ($$ == 0) return -1;} |
| 516 | ; |
Harry Ciao | 16675b7 | 2011-07-25 09:23:54 +0800 | [diff] [blame] | 517 | roleattribute_def : ROLEATTRIBUTE identifier id_comma_list ';' |
| 518 | {if (define_roleattribute()) return -1;} |
| 519 | ; |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 520 | opt_constraints : constraints |
| 521 | | |
| 522 | ; |
| 523 | constraints : constraint_decl |
| 524 | | constraints constraint_decl |
| 525 | ; |
| 526 | constraint_decl : constraint_def |
| 527 | | validatetrans_def |
| 528 | ; |
| 529 | constraint_def : CONSTRAIN names names cexpr ';' |
| 530 | { if (define_constraint((constraint_expr_t*)$4)) return -1; } |
| 531 | ; |
| 532 | validatetrans_def : VALIDATETRANS names cexpr ';' |
| 533 | { if (define_validatetrans((constraint_expr_t*)$3)) return -1; } |
| 534 | ; |
| 535 | cexpr : '(' cexpr ')' |
| 536 | { $$ = $2; } |
| 537 | | NOT cexpr |
| 538 | { $$ = define_cexpr(CEXPR_NOT, $2, 0); |
| 539 | if ($$ == 0) return -1; } |
| 540 | | cexpr AND cexpr |
| 541 | { $$ = define_cexpr(CEXPR_AND, $1, $3); |
| 542 | if ($$ == 0) return -1; } |
| 543 | | cexpr OR cexpr |
| 544 | { $$ = define_cexpr(CEXPR_OR, $1, $3); |
| 545 | if ($$ == 0) return -1; } |
| 546 | | cexpr_prim |
| 547 | { $$ = $1; } |
| 548 | ; |
| 549 | cexpr_prim : U1 op U2 |
| 550 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, $2); |
| 551 | if ($$ == 0) return -1; } |
| 552 | | R1 role_mls_op R2 |
| 553 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2); |
| 554 | if ($$ == 0) return -1; } |
| 555 | | T1 op T2 |
| 556 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2); |
| 557 | if ($$ == 0) return -1; } |
| 558 | | U1 op { if (insert_separator(1)) return -1; } names_push |
| 559 | { $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2); |
| 560 | if ($$ == 0) return -1; } |
| 561 | | U2 op { if (insert_separator(1)) return -1; } names_push |
| 562 | { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2); |
| 563 | if ($$ == 0) return -1; } |
| 564 | | U3 op { if (insert_separator(1)) return -1; } names_push |
| 565 | { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2); |
| 566 | if ($$ == 0) return -1; } |
| 567 | | R1 op { if (insert_separator(1)) return -1; } names_push |
| 568 | { $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, $2); |
| 569 | if ($$ == 0) return -1; } |
| 570 | | R2 op { if (insert_separator(1)) return -1; } names_push |
| 571 | { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), $2); |
| 572 | if ($$ == 0) return -1; } |
| 573 | | R3 op { if (insert_separator(1)) return -1; } names_push |
| 574 | { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_XTARGET), $2); |
| 575 | if ($$ == 0) return -1; } |
| 576 | | T1 op { if (insert_separator(1)) return -1; } names_push |
| 577 | { $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, $2); |
| 578 | if ($$ == 0) return -1; } |
| 579 | | T2 op { if (insert_separator(1)) return -1; } names_push |
| 580 | { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), $2); |
| 581 | if ($$ == 0) return -1; } |
| 582 | | T3 op { if (insert_separator(1)) return -1; } names_push |
| 583 | { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_XTARGET), $2); |
| 584 | if ($$ == 0) return -1; } |
| 585 | | SAMEUSER |
| 586 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, CEXPR_EQ); |
| 587 | if ($$ == 0) return -1; } |
| 588 | | SOURCE ROLE { if (insert_separator(1)) return -1; } names_push |
| 589 | { $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, CEXPR_EQ); |
| 590 | if ($$ == 0) return -1; } |
| 591 | | TARGET ROLE { if (insert_separator(1)) return -1; } names_push |
| 592 | { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), CEXPR_EQ); |
| 593 | if ($$ == 0) return -1; } |
| 594 | | ROLE role_mls_op |
| 595 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2); |
| 596 | if ($$ == 0) return -1; } |
| 597 | | SOURCE TYPE { if (insert_separator(1)) return -1; } names_push |
| 598 | { $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, CEXPR_EQ); |
| 599 | if ($$ == 0) return -1; } |
| 600 | | TARGET TYPE { if (insert_separator(1)) return -1; } names_push |
| 601 | { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), CEXPR_EQ); |
| 602 | if ($$ == 0) return -1; } |
| 603 | | L1 role_mls_op L2 |
| 604 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1L2, $2); |
| 605 | if ($$ == 0) return -1; } |
| 606 | | L1 role_mls_op H2 |
| 607 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H2, $2); |
| 608 | if ($$ == 0) return -1; } |
| 609 | | H1 role_mls_op L2 |
| 610 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1L2, $2); |
| 611 | if ($$ == 0) return -1; } |
| 612 | | H1 role_mls_op H2 |
| 613 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1H2, $2); |
| 614 | if ($$ == 0) return -1; } |
| 615 | | L1 role_mls_op H1 |
| 616 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H1, $2); |
| 617 | if ($$ == 0) return -1; } |
| 618 | | L2 role_mls_op H2 |
| 619 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L2H2, $2); |
| 620 | if ($$ == 0) return -1; } |
| 621 | ; |
| 622 | op : EQUALS |
| 623 | { $$ = CEXPR_EQ; } |
| 624 | | NOTEQUAL |
| 625 | { $$ = CEXPR_NEQ; } |
| 626 | ; |
| 627 | role_mls_op : op |
| 628 | { $$ = $1; } |
| 629 | | DOM |
| 630 | { $$ = CEXPR_DOM; } |
| 631 | | DOMBY |
| 632 | { $$ = CEXPR_DOMBY; } |
| 633 | | INCOMP |
| 634 | { $$ = CEXPR_INCOMP; } |
| 635 | ; |
| 636 | users : user_def |
| 637 | | users user_def |
| 638 | ; |
| 639 | user_def : USER identifier ROLES names opt_mls_user ';' |
| 640 | {if (define_user()) return -1;} |
| 641 | ; |
| 642 | opt_mls_user : LEVEL mls_level_def RANGE mls_range_def |
| 643 | | |
| 644 | ; |
| 645 | initial_sid_contexts : initial_sid_context_def |
| 646 | | initial_sid_contexts initial_sid_context_def |
| 647 | ; |
| 648 | initial_sid_context_def : SID identifier security_context_def |
| 649 | {if (define_initial_sid_context()) return -1;} |
| 650 | ; |
Paul Nuzzi | 79d10a8 | 2009-09-29 10:06:26 -0400 | [diff] [blame] | 651 | opt_dev_contexts : dev_contexts | |
| 652 | ; |
| 653 | dev_contexts : dev_context_def |
| 654 | | dev_contexts dev_context_def |
| 655 | ; |
| 656 | dev_context_def : pirq_context_def | |
| 657 | iomem_context_def | |
| 658 | ioport_context_def | |
Daniel De Graaf | f029067 | 2015-03-17 16:43:24 -0400 | [diff] [blame] | 659 | pci_context_def | |
| 660 | dtree_context_def |
Paul Nuzzi | 79d10a8 | 2009-09-29 10:06:26 -0400 | [diff] [blame] | 661 | ; |
| 662 | pirq_context_def : PIRQCON number security_context_def |
| 663 | {if (define_pirq_context($2)) return -1;} |
| 664 | ; |
Daniel De Graaf | 82030de | 2015-03-17 16:43:23 -0400 | [diff] [blame] | 665 | iomem_context_def : IOMEMCON number64 security_context_def |
Paul Nuzzi | 79d10a8 | 2009-09-29 10:06:26 -0400 | [diff] [blame] | 666 | {if (define_iomem_context($2,$2)) return -1;} |
Daniel De Graaf | 82030de | 2015-03-17 16:43:23 -0400 | [diff] [blame] | 667 | | IOMEMCON number64 '-' number64 security_context_def |
Paul Nuzzi | 79d10a8 | 2009-09-29 10:06:26 -0400 | [diff] [blame] | 668 | {if (define_iomem_context($2,$4)) return -1;} |
| 669 | ; |
| 670 | ioport_context_def : IOPORTCON number security_context_def |
| 671 | {if (define_ioport_context($2,$2)) return -1;} |
| 672 | | IOPORTCON number '-' number security_context_def |
| 673 | {if (define_ioport_context($2,$4)) return -1;} |
| 674 | ; |
| 675 | pci_context_def : PCIDEVICECON number security_context_def |
| 676 | {if (define_pcidevice_context($2)) return -1;} |
| 677 | ; |
Daniel De Graaf | f029067 | 2015-03-17 16:43:24 -0400 | [diff] [blame] | 678 | dtree_context_def : DEVICETREECON path security_context_def |
| 679 | {if (define_devicetree_context()) return -1;} |
| 680 | ; |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 681 | opt_fs_contexts : fs_contexts |
| 682 | | |
| 683 | ; |
| 684 | fs_contexts : fs_context_def |
| 685 | | fs_contexts fs_context_def |
| 686 | ; |
| 687 | fs_context_def : FSCON number number security_context_def security_context_def |
| 688 | {if (define_fs_context($2,$3)) return -1;} |
| 689 | ; |
| 690 | net_contexts : opt_port_contexts opt_netif_contexts opt_node_contexts |
| 691 | ; |
| 692 | opt_port_contexts : port_contexts |
| 693 | | |
| 694 | ; |
| 695 | port_contexts : port_context_def |
| 696 | | port_contexts port_context_def |
| 697 | ; |
| 698 | port_context_def : PORTCON identifier number security_context_def |
| 699 | {if (define_port_context($3,$3)) return -1;} |
| 700 | | PORTCON identifier number '-' number security_context_def |
| 701 | {if (define_port_context($3,$5)) return -1;} |
| 702 | ; |
| 703 | opt_netif_contexts : netif_contexts |
| 704 | | |
| 705 | ; |
| 706 | netif_contexts : netif_context_def |
| 707 | | netif_contexts netif_context_def |
| 708 | ; |
| 709 | netif_context_def : NETIFCON identifier security_context_def security_context_def |
| 710 | {if (define_netif_context()) return -1;} |
| 711 | ; |
| 712 | opt_node_contexts : node_contexts |
| 713 | | |
| 714 | ; |
| 715 | node_contexts : node_context_def |
| 716 | | node_contexts node_context_def |
| 717 | ; |
| 718 | node_context_def : NODECON ipv4_addr_def ipv4_addr_def security_context_def |
| 719 | {if (define_ipv4_node_context()) return -1;} |
| 720 | | NODECON ipv6_addr ipv6_addr security_context_def |
| 721 | {if (define_ipv6_node_context()) return -1;} |
| 722 | ; |
| 723 | opt_fs_uses : fs_uses |
| 724 | | |
| 725 | ; |
| 726 | fs_uses : fs_use_def |
| 727 | | fs_uses fs_use_def |
| 728 | ; |
Eric Paris | fdeecca | 2011-11-02 13:03:59 -0400 | [diff] [blame] | 729 | fs_use_def : FSUSEXATTR filesystem security_context_def ';' |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 730 | {if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;} |
| 731 | | FSUSETASK identifier security_context_def ';' |
| 732 | {if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;} |
| 733 | | FSUSETRANS identifier security_context_def ';' |
| 734 | {if (define_fs_use(SECURITY_FS_USE_TRANS)) return -1;} |
| 735 | ; |
| 736 | opt_genfs_contexts : genfs_contexts |
| 737 | | |
| 738 | ; |
| 739 | genfs_contexts : genfs_context_def |
| 740 | | genfs_contexts genfs_context_def |
| 741 | ; |
Eric Paris | fdeecca | 2011-11-02 13:03:59 -0400 | [diff] [blame] | 742 | genfs_context_def : GENFSCON filesystem path '-' identifier security_context_def |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 743 | {if (define_genfs_context(1)) return -1;} |
Eric Paris | fdeecca | 2011-11-02 13:03:59 -0400 | [diff] [blame] | 744 | | GENFSCON filesystem path '-' '-' {insert_id("-", 0);} security_context_def |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 745 | {if (define_genfs_context(1)) return -1;} |
Eric Paris | fdeecca | 2011-11-02 13:03:59 -0400 | [diff] [blame] | 746 | | GENFSCON filesystem path security_context_def |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 747 | {if (define_genfs_context(0)) return -1;} |
| 748 | ; |
| 749 | ipv4_addr_def : IPV4_ADDR |
| 750 | { if (insert_id(yytext,0)) return -1; } |
| 751 | ; |
Jeff Vander Stoep | 80bc7ee | 2015-04-22 13:53:25 -0700 | [diff] [blame] | 752 | operations : operation |
| 753 | { if (insert_separator(0)) return -1; } |
| 754 | | nested_operation_set |
| 755 | { if (insert_separator(0)) return -1; } |
| 756 | | tilde operation |
| 757 | { if (insert_id("~", 0)) return -1; } |
| 758 | | tilde nested_operation_set |
| 759 | { if (insert_id("~", 0)) return -1; |
| 760 | if (insert_separator(0)) return -1; } |
| 761 | ; |
| 762 | nested_operation_set : '{' nested_operation_list '}' |
| 763 | ; |
| 764 | nested_operation_list : nested_operation_element |
| 765 | | nested_operation_list nested_operation_element |
| 766 | ; |
| 767 | nested_operation_element: operation '-' { if (insert_id("-", 0)) return -1; } operation |
| 768 | | operation |
| 769 | | nested_operation_set |
| 770 | ; |
| 771 | operation : number |
| 772 | { if (insert_id(yytext,0)) return -1; } |
| 773 | ; |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 774 | security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def |
| 775 | ; |
| 776 | opt_mls_range_def : ':' mls_range_def |
| 777 | | |
| 778 | ; |
| 779 | mls_range_def : mls_level_def '-' mls_level_def |
| 780 | {if (insert_separator(0)) return -1;} |
| 781 | | mls_level_def |
| 782 | {if (insert_separator(0)) return -1;} |
| 783 | ; |
| 784 | mls_level_def : identifier ':' id_comma_list |
| 785 | {if (insert_separator(0)) return -1;} |
| 786 | | identifier |
| 787 | {if (insert_separator(0)) return -1;} |
| 788 | ; |
| 789 | id_comma_list : identifier |
| 790 | | id_comma_list ',' identifier |
| 791 | ; |
| 792 | tilde : '~' |
| 793 | ; |
| 794 | asterisk : '*' |
| 795 | ; |
| 796 | names : identifier |
| 797 | { if (insert_separator(0)) return -1; } |
| 798 | | nested_id_set |
| 799 | { if (insert_separator(0)) return -1; } |
| 800 | | asterisk |
| 801 | { if (insert_id("*", 0)) return -1; |
| 802 | if (insert_separator(0)) return -1; } |
| 803 | | tilde identifier |
| 804 | { if (insert_id("~", 0)) return -1; |
| 805 | if (insert_separator(0)) return -1; } |
| 806 | | tilde nested_id_set |
| 807 | { if (insert_id("~", 0)) return -1; |
| 808 | if (insert_separator(0)) return -1; } |
| 809 | | identifier '-' { if (insert_id("-", 0)) return -1; } identifier |
| 810 | { if (insert_separator(0)) return -1; } |
| 811 | ; |
| 812 | tilde_push : tilde |
| 813 | { if (insert_id("~", 1)) return -1; } |
| 814 | ; |
| 815 | asterisk_push : asterisk |
| 816 | { if (insert_id("*", 1)) return -1; } |
| 817 | ; |
| 818 | names_push : identifier_push |
| 819 | | '{' identifier_list_push '}' |
| 820 | | asterisk_push |
| 821 | | tilde_push identifier_push |
| 822 | | tilde_push '{' identifier_list_push '}' |
| 823 | ; |
| 824 | identifier_list_push : identifier_push |
| 825 | | identifier_list_push identifier_push |
| 826 | ; |
| 827 | identifier_push : IDENTIFIER |
| 828 | { if (insert_id(yytext, 1)) return -1; } |
| 829 | ; |
| 830 | identifier_list : identifier |
| 831 | | identifier_list identifier |
| 832 | ; |
| 833 | nested_id_set : '{' nested_id_list '}' |
| 834 | ; |
| 835 | nested_id_list : nested_id_element | nested_id_list nested_id_element |
| 836 | ; |
| 837 | nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; } identifier | nested_id_set |
| 838 | ; |
| 839 | identifier : IDENTIFIER |
| 840 | { if (insert_id(yytext,0)) return -1; } |
| 841 | ; |
Eric Paris | fdeecca | 2011-11-02 13:03:59 -0400 | [diff] [blame] | 842 | filesystem : FILESYSTEM |
| 843 | { if (insert_id(yytext,0)) return -1; } |
Dan Walsh | d72a9ec | 2011-04-12 09:54:46 -0400 | [diff] [blame] | 844 | | IDENTIFIER |
| 845 | { if (insert_id(yytext,0)) return -1; } |
| 846 | ; |
Eric Paris | fdeecca | 2011-11-02 13:03:59 -0400 | [diff] [blame] | 847 | path : PATH |
| 848 | { if (insert_id(yytext,0)) return -1; } |
Daniel De Graaf | aab2d9f | 2015-03-17 16:43:22 -0400 | [diff] [blame] | 849 | | QPATH |
| 850 | { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; } |
Eric Paris | fdeecca | 2011-11-02 13:03:59 -0400 | [diff] [blame] | 851 | ; |
| 852 | filename : FILENAME |
| 853 | { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; } |
| 854 | ; |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 855 | number : NUMBER |
| 856 | { $$ = strtoul(yytext,NULL,0); } |
| 857 | ; |
Daniel De Graaf | 82030de | 2015-03-17 16:43:23 -0400 | [diff] [blame] | 858 | number64 : NUMBER |
| 859 | { $$ = strtoull(yytext,NULL,0); } |
| 860 | ; |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 861 | ipv6_addr : IPV6_ADDR |
| 862 | { if (insert_id(yytext,0)) return -1; } |
| 863 | ; |
| 864 | policycap_def : POLICYCAP identifier ';' |
| 865 | {if (define_polcap()) return -1;} |
| 866 | ; |
| 867 | permissive_def : PERMISSIVE identifier ';' |
| 868 | {if (define_permissive()) return -1;} |
| 869 | |
| 870 | /*********** module grammar below ***********/ |
| 871 | |
| 872 | module_policy : module_def avrules_block |
| 873 | { if (end_avrule_block(pass) == -1) return -1; |
| 874 | if (policydb_index_others(NULL, policydbp, 0)) return -1; |
| 875 | } |
| 876 | ; |
| 877 | module_def : MODULE identifier version_identifier ';' |
| 878 | { if (define_policy(pass, 1) == -1) return -1; } |
| 879 | ; |
| 880 | version_identifier : VERSION_IDENTIFIER |
| 881 | { if (insert_id(yytext,0)) return -1; } |
Daniel J Walsh | c61b693 | 2011-04-29 15:41:16 -0400 | [diff] [blame] | 882 | | number |
| 883 | { if (insert_id(yytext,0)) return -1; } |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 884 | | ipv4_addr_def /* version can look like ipv4 address */ |
| 885 | ; |
| 886 | avrules_block : avrule_decls avrule_user_defs |
| 887 | ; |
| 888 | avrule_decls : avrule_decls avrule_decl |
| 889 | | avrule_decl |
| 890 | ; |
| 891 | avrule_decl : rbac_decl |
| 892 | | te_decl |
| 893 | | cond_stmt_def |
| 894 | | require_block |
| 895 | | optional_block |
| 896 | | ';' |
| 897 | ; |
| 898 | require_block : REQUIRE '{' require_list '}' |
| 899 | ; |
| 900 | require_list : require_list require_decl |
| 901 | | require_decl |
| 902 | ; |
| 903 | require_decl : require_class ';' |
| 904 | | require_decl_def require_id_list ';' |
| 905 | ; |
| 906 | require_class : CLASS identifier names |
| 907 | { if (require_class(pass)) return -1; } |
| 908 | ; |
| 909 | require_decl_def : ROLE { $$ = require_role; } |
| 910 | | TYPE { $$ = require_type; } |
| 911 | | ATTRIBUTE { $$ = require_attribute; } |
Harry Ciao | 16675b7 | 2011-07-25 09:23:54 +0800 | [diff] [blame] | 912 | | ATTRIBUTE_ROLE { $$ = require_attribute_role; } |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 913 | | USER { $$ = require_user; } |
| 914 | | BOOL { $$ = require_bool; } |
Harry Ciao | 80f26c5 | 2011-09-01 11:29:41 +0800 | [diff] [blame] | 915 | | TUNABLE { $$ = require_tunable; } |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 916 | | SENSITIVITY { $$ = require_sens; } |
| 917 | | CATEGORY { $$ = require_cat; } |
| 918 | ; |
| 919 | require_id_list : identifier |
| 920 | { if ($<require_func>0 (pass)) return -1; } |
| 921 | | require_id_list ',' identifier |
| 922 | { if ($<require_func>0 (pass)) return -1; } |
| 923 | ; |
| 924 | optional_block : optional_decl '{' avrules_block '}' |
| 925 | { if (end_avrule_block(pass) == -1) return -1; } |
| 926 | optional_else |
| 927 | { if (end_optional(pass) == -1) return -1; } |
| 928 | ; |
| 929 | optional_else : else_decl '{' avrules_block '}' |
| 930 | { if (end_avrule_block(pass) == -1) return -1; } |
| 931 | | /* empty */ |
| 932 | ; |
| 933 | optional_decl : OPTIONAL |
| 934 | { if (begin_optional(pass) == -1) return -1; } |
| 935 | ; |
| 936 | else_decl : ELSE |
| 937 | { if (begin_optional_else(pass) == -1) return -1; } |
| 938 | ; |
| 939 | avrule_user_defs : user_def avrule_user_defs |
| 940 | | /* empty */ |
| 941 | ; |