Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / selinux / refs/tags/fp2-sibon-17.12.1 / . / checkpolicy / policy_parse.y
blob: 059b7b87a318a17a5be3147dc85979f9047a5fb6 [file] [log] [blame]
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1
2/*
3 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
4 */
5
6/*
7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8 *
9 * Support for enhanced MLS infrastructure.
10 *
11 * Updated: David Caplan, <dac@tresys.com>
12 *
13 * Added conditional policy language extensions
14 *
15 * Updated: Joshua Brindle <jbrindle@tresys.com>
16 * Karl MacMillan <kmacmillan@mentalrootkit.com>
17 * Jason Tang <jtang@tresys.com>
18 *
19 * Added support for binary policy modules
20 *
21 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
22 * Copyright (C) 2003 - 2008 Tresys Technology, LLC
23 * Copyright (C) 2007 Red Hat Inc.
24 * This program is free software; you can redistribute it and/or modify
25 * it under the terms of the GNU General Public License as published by
26 * the Free Software Foundation, version 2.
27 */
28
29/* FLASK */
30
31%{
32#include <sys/types.h>
33#include <assert.h>
34#include <stdarg.h>
35#include <stdint.h>
36#include <stdio.h>
37#include <stdlib.h>
38#include <string.h>
39#include <sys/socket.h>
40#include <netinet/in.h>
41#include <arpa/inet.h>
42#include <stdlib.h>
43
44#include <sepol/policydb/expand.h>
45#include <sepol/policydb/policydb.h>
46#include <sepol/policydb/services.h>
47#include <sepol/policydb/conditional.h>
48#include <sepol/policydb/flask.h>
49#include <sepol/policydb/hierarchy.h>
50#include <sepol/policydb/polcaps.h>
51#include "queue.h"
52#include "checkpolicy.h"
53#include "module_compiler.h"
54#include "policy_define.h"
55
56extern policydb_t *policydbp;
57extern unsigned int pass;
58
59extern char yytext[];
60extern int yylex(void);
Nicolas Iooss832e7012014-09-14 23:41:39 +0200[diff] [blame]61extern int yywarn(const char *msg);
62extern int yyerror(const char *msg);
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]63
Nicolas Ioossc4a4a1a2014-09-14 23:41:49 +0200[diff] [blame]64typedef int (* require_func_t)(int pass);
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]65
66%}
67
68%union {
69 unsigned int val;
Daniel De Graaf82030de2015-03-17 16:43:23 -0400[diff] [blame]70 uint64_t val64;
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]71 uintptr_t valptr;
72 void *ptr;
73 require_func_t require_func;
74}
75
76%type <ptr> cond_expr cond_expr_prim cond_pol_list cond_else
77%type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def
78%type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def
79%type <ptr> role_def roles
80%type <valptr> cexpr cexpr_prim op role_mls_op
81%type <val> ipv4_addr_def number
Daniel De Graaf82030de2015-03-17 16:43:23 -0400[diff] [blame]82%type <val64> number64
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]83%type <require_func> require_decl_def
84
85%token PATH
Daniel De Graafaab2d9f2015-03-17 16:43:22 -0400[diff] [blame]86%token QPATH
Steve Lawrenceb42e15f2011-05-16 08:40:00 -0400[diff] [blame]87%token FILENAME
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]88%token CLONE
89%token COMMON
90%token CLASS
91%token CONSTRAIN
92%token VALIDATETRANS
93%token INHERITS
94%token SID
95%token ROLE
Harry Ciao16675b72011-07-25 09:23:54 +0800[diff] [blame]96%token ROLEATTRIBUTE
97%token ATTRIBUTE_ROLE
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]98%token ROLES
99%token TYPEALIAS
100%token TYPEATTRIBUTE
Joshua Brindle45728402008-10-08 06:56:51 -0400[diff] [blame]101%token TYPEBOUNDS
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]102%token TYPE
103%token TYPES
104%token ALIAS
105%token ATTRIBUTE
106%token BOOL
Harry Ciao80f26c52011-09-01 11:29:41 +0800[diff] [blame]107%token TUNABLE
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]108%token IF
109%token ELSE
110%token TYPE_TRANSITION
111%token TYPE_MEMBER
112%token TYPE_CHANGE
113%token ROLE_TRANSITION
114%token RANGE_TRANSITION
115%token SENSITIVITY
116%token DOMINANCE
117%token DOM DOMBY INCOMP
118%token CATEGORY
119%token LEVEL
120%token RANGE
121%token MLSCONSTRAIN
122%token MLSVALIDATETRANS
123%token USER
124%token NEVERALLOW
125%token ALLOW
126%token AUDITALLOW
127%token AUDITDENY
128%token DONTAUDIT
129%token SOURCE
130%token TARGET
131%token SAMEUSER
132%token FSCON PORTCON NETIFCON NODECON
Daniel De Graaff0290672015-03-17 16:43:24 -0400[diff] [blame]133%token PIRQCON IOMEMCON IOPORTCON PCIDEVICECON DEVICETREECON
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]134%token FSUSEXATTR FSUSETASK FSUSETRANS
135%token GENFSCON
136%token U1 U2 U3 R1 R2 R3 T1 T2 T3 L1 L2 H1 H2
137%token NOT AND OR XOR
138%token CTRUE CFALSE
139%token IDENTIFIER
140%token NUMBER
141%token EQUALS
142%token NOTEQUAL
143%token IPV4_ADDR
144%token IPV6_ADDR
145%token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
146%token POLICYCAP
147%token PERMISSIVE
James Carter17ac87c2011-01-12 16:29:02 -0500[diff] [blame]148%token FILESYSTEM
Eric Paris693f5242012-12-18 11:41:25 -0500[diff] [blame]149%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
Eric Paris09c783c2011-12-05 13:28:51 -0500[diff] [blame]150%token LOW_HIGH LOW HIGH
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]151
152%left OR
153%left XOR
154%left AND
155%right NOT
156%left EQUALS NOTEQUAL
157%%
158policy : base_policy
159 | module_policy
160 ;
161base_policy : { if (define_policy(pass, 0) == -1) return -1; }
162 classes initial_sids access_vectors
163 { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; }
164 else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }}
Eric Paris09c783c2011-12-05 13:28:51 -0500[diff] [blame]165 opt_default_rules opt_mls te_rbac users opt_constraints
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]166 { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
167 else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
Paul Nuzzi79d10a82009-09-29 10:06:26 -0400[diff] [blame]168 initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]169 ;
170classes : class_def
171 | classes class_def
172 ;
173class_def : CLASS identifier
174 {if (define_class()) return -1;}
175 ;
176initial_sids : initial_sid_def
177 | initial_sids initial_sid_def
178 ;
179initial_sid_def : SID identifier
180 {if (define_initial_sid()) return -1;}
181 ;
182access_vectors : opt_common_perms av_perms
183 ;
184opt_common_perms : common_perms
185 |
186 ;
187common_perms : common_perms_def
188 | common_perms common_perms_def
189 ;
190common_perms_def : COMMON identifier '{' identifier_list '}'
191 {if (define_common_perms()) return -1;}
192 ;
193av_perms : av_perms_def
194 | av_perms av_perms_def
195 ;
196av_perms_def : CLASS identifier '{' identifier_list '}'
197 {if (define_av_perms(FALSE)) return -1;}
198 | CLASS identifier INHERITS identifier
199 {if (define_av_perms(TRUE)) return -1;}
200 | CLASS identifier INHERITS identifier '{' identifier_list '}'
201 {if (define_av_perms(TRUE)) return -1;}
202 ;
Eric Paris09c783c2011-12-05 13:28:51 -0500[diff] [blame]203opt_default_rules : default_rules
204 |
205 ;
206default_rules : default_user_def
207 | default_role_def
Eric Paris693f5242012-12-18 11:41:25 -0500[diff] [blame]208 | default_type_def
Eric Paris09c783c2011-12-05 13:28:51 -0500[diff] [blame]209 | default_range_def
210 | default_rules default_user_def
211 | default_rules default_role_def
Eric Paris693f5242012-12-18 11:41:25 -0500[diff] [blame]212 | default_rules default_type_def
Eric Paris09c783c2011-12-05 13:28:51 -0500[diff] [blame]213 | default_rules default_range_def
214 ;
215default_user_def : DEFAULT_USER names SOURCE ';'
216 {if (define_default_user(DEFAULT_SOURCE)) return -1; }
217 | DEFAULT_USER names TARGET ';'
218 {if (define_default_user(DEFAULT_TARGET)) return -1; }
219 ;
220default_role_def : DEFAULT_ROLE names SOURCE ';'
221 {if (define_default_role(DEFAULT_SOURCE)) return -1; }
222 | DEFAULT_ROLE names TARGET ';'
223 {if (define_default_role(DEFAULT_TARGET)) return -1; }
224 ;
Eric Paris693f5242012-12-18 11:41:25 -0500[diff] [blame]225default_type_def : DEFAULT_TYPE names SOURCE ';'
226 {if (define_default_type(DEFAULT_SOURCE)) return -1; }
227 | DEFAULT_TYPE names TARGET ';'
228 {if (define_default_type(DEFAULT_TARGET)) return -1; }
229 ;
Eric Paris09c783c2011-12-05 13:28:51 -0500[diff] [blame]230default_range_def : DEFAULT_RANGE names SOURCE LOW ';'
231 {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; }
232 | DEFAULT_RANGE names SOURCE HIGH ';'
233 {if (define_default_range(DEFAULT_SOURCE_HIGH)) return -1; }
234 | DEFAULT_RANGE names SOURCE LOW_HIGH ';'
235 {if (define_default_range(DEFAULT_SOURCE_LOW_HIGH)) return -1; }
236 | DEFAULT_RANGE names TARGET LOW ';'
237 {if (define_default_range(DEFAULT_TARGET_LOW)) return -1; }
238 | DEFAULT_RANGE names TARGET HIGH ';'
239 {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; }
240 | DEFAULT_RANGE names TARGET LOW_HIGH ';'
241 {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; }
242 ;
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]243opt_mls : mls
244 |
245 ;
246mls : sensitivities dominance opt_categories levels mlspolicy
247 ;
248sensitivities : sensitivity_def
249 | sensitivities sensitivity_def
250 ;
251sensitivity_def : SENSITIVITY identifier alias_def ';'
252 {if (define_sens()) return -1;}
253 | SENSITIVITY identifier ';'
254 {if (define_sens()) return -1;}
255 ;
256alias_def : ALIAS names
257 ;
258dominance : DOMINANCE identifier
259 {if (define_dominance()) return -1;}
260 | DOMINANCE '{' identifier_list '}'
261 {if (define_dominance()) return -1;}
262 ;
263opt_categories : categories
264 |
265 ;
266categories : category_def
267 | categories category_def
268 ;
269category_def : CATEGORY identifier alias_def ';'
270 {if (define_category()) return -1;}
271 | CATEGORY identifier ';'
272 {if (define_category()) return -1;}
273 ;
274levels : level_def
275 | levels level_def
276 ;
277level_def : LEVEL identifier ':' id_comma_list ';'
278 {if (define_level()) return -1;}
279 | LEVEL identifier ';'
280 {if (define_level()) return -1;}
281 ;
282mlspolicy : mlspolicy_decl
283 | mlspolicy mlspolicy_decl
284 ;
285mlspolicy_decl : mlsconstraint_def
286 | mlsvalidatetrans_def
287 ;
288mlsconstraint_def : MLSCONSTRAIN names names cexpr ';'
289 { if (define_constraint((constraint_expr_t*)$4)) return -1; }
290 ;
291mlsvalidatetrans_def : MLSVALIDATETRANS names cexpr ';'
292 { if (define_validatetrans((constraint_expr_t*)$3)) return -1; }
293 ;
294te_rbac : te_rbac_decl
295 | te_rbac te_rbac_decl
296 ;
297te_rbac_decl : te_decl
298 | rbac_decl
299 | cond_stmt_def
300 | optional_block
301 | policycap_def
302 | ';'
303 ;
Harry Ciao16675b72011-07-25 09:23:54 +0800[diff] [blame]304rbac_decl : attribute_role_def
305 | role_type_def
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]306 | role_dominance
307 | role_trans_def
308 | role_allow_def
Harry Ciao16675b72011-07-25 09:23:54 +0800[diff] [blame]309 | roleattribute_def
310 | role_attr_def
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]311 ;
312te_decl : attribute_def
313 | type_def
314 | typealias_def
315 | typeattribute_def
Joshua Brindle45728402008-10-08 06:56:51 -0400[diff] [blame]316 | typebounds_def
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]317 | bool_def
Harry Ciao80f26c52011-09-01 11:29:41 +0800[diff] [blame]318 | tunable_def
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]319 | transition_def
320 | range_trans_def
321 | te_avtab_def
322 | permissive_def
323 ;
324attribute_def : ATTRIBUTE identifier ';'
325 { if (define_attrib()) return -1;}
326 ;
327type_def : TYPE identifier alias_def opt_attr_list ';'
328 {if (define_type(1)) return -1;}
329 | TYPE identifier opt_attr_list ';'
330 {if (define_type(0)) return -1;}
331 ;
332typealias_def : TYPEALIAS identifier alias_def ';'
333 {if (define_typealias()) return -1;}
334 ;
335typeattribute_def : TYPEATTRIBUTE identifier id_comma_list ';'
336 {if (define_typeattribute()) return -1;}
337 ;
Joshua Brindle45728402008-10-08 06:56:51 -0400[diff] [blame]338typebounds_def : TYPEBOUNDS identifier id_comma_list ';'
339 {if (define_typebounds()) return -1;}
340 ;
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]341opt_attr_list : ',' id_comma_list
342 |
343 ;
344bool_def : BOOL identifier bool_val ';'
Harry Ciao80f26c52011-09-01 11:29:41 +0800[diff] [blame]345 { if (define_bool_tunable(0)) return -1; }
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]346 ;
Harry Ciao80f26c52011-09-01 11:29:41 +0800[diff] [blame]347tunable_def : TUNABLE identifier bool_val ';'
348 { if (define_bool_tunable(1)) return -1; }
349 ;
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]350bool_val : CTRUE
351 { if (insert_id("T",0)) return -1; }
352 | CFALSE
353 { if (insert_id("F",0)) return -1; }
354 ;
355cond_stmt_def : IF cond_expr '{' cond_pol_list '}' cond_else
356 { if (pass == 2) { if (define_conditional((cond_expr_t*)$2, (avrule_t*)$4, (avrule_t*)$6) < 0) return -1; }}
357 ;
358cond_else : ELSE '{' cond_pol_list '}'
359 { $$ = $3; }
360 | /* empty */
361 { $$ = NULL; }
Scapelli387dc632014-09-18 15:47:45 +0200[diff] [blame]362 ;
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]363cond_expr : '(' cond_expr ')'
364 { $$ = $2;}
365 | NOT cond_expr
366 { $$ = define_cond_expr(COND_NOT, $2, 0);
367 if ($$ == 0) return -1; }
368 | cond_expr AND cond_expr
369 { $$ = define_cond_expr(COND_AND, $1, $3);
370 if ($$ == 0) return -1; }
371 | cond_expr OR cond_expr
372 { $$ = define_cond_expr(COND_OR, $1, $3);
373 if ($$ == 0) return -1; }
374 | cond_expr XOR cond_expr
375 { $$ = define_cond_expr(COND_XOR, $1, $3);
376 if ($$ == 0) return -1; }
377 | cond_expr EQUALS cond_expr
378 { $$ = define_cond_expr(COND_EQ, $1, $3);
379 if ($$ == 0) return -1; }
380 | cond_expr NOTEQUAL cond_expr
381 { $$ = define_cond_expr(COND_NEQ, $1, $3);
382 if ($$ == 0) return -1; }
383 | cond_expr_prim
384 { $$ = $1; }
385 ;
386cond_expr_prim : identifier
387 { $$ = define_cond_expr(COND_BOOL,0, 0);
388 if ($$ == COND_ERR) return -1; }
389 ;
390cond_pol_list : cond_pol_list cond_rule_def
391 { $$ = define_cond_pol_list((avrule_t *)$1, (avrule_t *)$2); }
392 | /* empty */
393 { $$ = NULL; }
394 ;
395cond_rule_def : cond_transition_def
396 { $$ = $1; }
397 | cond_te_avtab_def
398 { $$ = $1; }
399 | require_block
400 { $$ = NULL; }
401 ;
Steve Lawrenceb42e15f2011-05-16 08:40:00 -0400[diff] [blame]402cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
Eric Paris516cb2a2011-03-28 14:00:19 -0400[diff] [blame]403 { $$ = define_cond_filename_trans() ;
404 if ($$ == COND_ERR) return -1;}
405 | TYPE_TRANSITION names names ':' names identifier ';'
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]406 { $$ = define_cond_compute_type(AVRULE_TRANSITION) ;
407 if ($$ == COND_ERR) return -1;}
408 | TYPE_MEMBER names names ':' names identifier ';'
409 { $$ = define_cond_compute_type(AVRULE_MEMBER) ;
410 if ($$ == COND_ERR) return -1;}
411 | TYPE_CHANGE names names ':' names identifier ';'
412 { $$ = define_cond_compute_type(AVRULE_CHANGE) ;
413 if ($$ == COND_ERR) return -1;}
414 ;
415cond_te_avtab_def : cond_allow_def
416 { $$ = $1; }
417 | cond_auditallow_def
418 { $$ = $1; }
419 | cond_auditdeny_def
420 { $$ = $1; }
421 | cond_dontaudit_def
422 { $$ = $1; }
423 ;
424cond_allow_def : ALLOW names names ':' names names ';'
425 { $$ = define_cond_te_avtab(AVRULE_ALLOWED) ;
426 if ($$ == COND_ERR) return -1; }
427 ;
428cond_auditallow_def : AUDITALLOW names names ':' names names ';'
429 { $$ = define_cond_te_avtab(AVRULE_AUDITALLOW) ;
430 if ($$ == COND_ERR) return -1; }
431 ;
432cond_auditdeny_def : AUDITDENY names names ':' names names ';'
433 { $$ = define_cond_te_avtab(AVRULE_AUDITDENY) ;
434 if ($$ == COND_ERR) return -1; }
435 ;
436cond_dontaudit_def : DONTAUDIT names names ':' names names ';'
437 { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT);
438 if ($$ == COND_ERR) return -1; }
439 ;
Eric Parisfdeecca2011-11-02 13:03:59 -0400[diff] [blame]440 ;
Steve Lawrenceb42e15f2011-05-16 08:40:00 -0400[diff] [blame]441transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
Steve Lawrencecb271f72011-05-16 08:38:37 -0400[diff] [blame]442 {if (define_filename_trans()) return -1; }
443 | TYPE_TRANSITION names names ':' names identifier ';'
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]444 {if (define_compute_type(AVRULE_TRANSITION)) return -1;}
445 | TYPE_MEMBER names names ':' names identifier ';'
446 {if (define_compute_type(AVRULE_MEMBER)) return -1;}
447 | TYPE_CHANGE names names ':' names identifier ';'
448 {if (define_compute_type(AVRULE_CHANGE)) return -1;}
449 ;
450range_trans_def : RANGE_TRANSITION names names mls_range_def ';'
451 { if (define_range_trans(0)) return -1; }
452 | RANGE_TRANSITION names names ':' names mls_range_def ';'
453 { if (define_range_trans(1)) return -1; }
454 ;
455te_avtab_def : allow_def
456 | auditallow_def
457 | auditdeny_def
458 | dontaudit_def
459 | neverallow_def
Jeff Vander Stoep80bc7ee2015-04-22 13:53:25 -0700[diff] [blame]460 | operation_allow_def
461 | operation_auditallow_def
462 | operation_dontaudit_def
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]463 ;
464allow_def : ALLOW names names ':' names names ';'
465 {if (define_te_avtab(AVRULE_ALLOWED)) return -1; }
466 ;
467auditallow_def : AUDITALLOW names names ':' names names ';'
468 {if (define_te_avtab(AVRULE_AUDITALLOW)) return -1; }
469 ;
470auditdeny_def : AUDITDENY names names ':' names names ';'
471 {if (define_te_avtab(AVRULE_AUDITDENY)) return -1; }
472 ;
473dontaudit_def : DONTAUDIT names names ':' names names ';'
474 {if (define_te_avtab(AVRULE_DONTAUDIT)) return -1; }
475 ;
476neverallow_def : NEVERALLOW names names ':' names names ';'
477 {if (define_te_avtab(AVRULE_NEVERALLOW)) return -1; }
478 ;
Jeff Vander Stoep80bc7ee2015-04-22 13:53:25 -0700[diff] [blame]479operation_allow_def : ALLOW names names ':' names operations ';'
480 {if (define_te_avtab_operation(AVRULE_OPNUM_ALLOWED)) return -1; }
481 ;
482operation_auditallow_def: AUDITALLOW names names ':' names operations ';'
483 {if (define_te_avtab_operation(AVRULE_OPNUM_AUDITALLOW)) return -1; }
484 ;
485operation_dontaudit_def : DONTAUDIT names names ':' names operations ';'
486 {if (define_te_avtab_operation(AVRULE_OPNUM_DONTAUDIT)) return -1; }
487 ;
Harry Ciao16675b72011-07-25 09:23:54 +0800[diff] [blame]488attribute_role_def : ATTRIBUTE_ROLE identifier ';'
489 {if (define_attrib_role()) return -1; }
Dan Walsh56196352011-08-09 10:28:38 -0400[diff] [blame]490 ;
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]491role_type_def : ROLE identifier TYPES names ';'
492 {if (define_role_types()) return -1;}
Harry Ciao16675b72011-07-25 09:23:54 +0800[diff] [blame]493 ;
494role_attr_def : ROLE identifier opt_attr_list ';'
495 {if (define_role_attr()) return -1;}
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]496 ;
497role_dominance : DOMINANCE '{' roles '}'
498 ;
499role_trans_def : ROLE_TRANSITION names names identifier ';'
Harry Ciaoe95f3582011-03-25 13:51:59 +0800[diff] [blame]500 {if (define_role_trans(0)) return -1; }
501 | ROLE_TRANSITION names names ':' names identifier ';'
502 {if (define_role_trans(1)) return -1;}
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]503 ;
504role_allow_def : ALLOW names names ';'
505 {if (define_role_allow()) return -1; }
506 ;
507roles : role_def
508 { $$ = $1; }
509 | roles role_def
510 { $$ = merge_roles_dom((role_datum_t*)$1, (role_datum_t*)$2); if ($$ == 0) return -1;}
511 ;
512role_def : ROLE identifier_push ';'
513 {$$ = define_role_dom(NULL); if ($$ == 0) return -1;}
514 | ROLE identifier_push '{' roles '}'
515 {$$ = define_role_dom((role_datum_t*)$4); if ($$ == 0) return -1;}
516 ;
Harry Ciao16675b72011-07-25 09:23:54 +0800[diff] [blame]517roleattribute_def : ROLEATTRIBUTE identifier id_comma_list ';'
518 {if (define_roleattribute()) return -1;}
519 ;
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]520opt_constraints : constraints
521 |
522 ;
523constraints : constraint_decl
524 | constraints constraint_decl
525 ;
526constraint_decl : constraint_def
527 | validatetrans_def
528 ;
529constraint_def : CONSTRAIN names names cexpr ';'
530 { if (define_constraint((constraint_expr_t*)$4)) return -1; }
531 ;
532validatetrans_def : VALIDATETRANS names cexpr ';'
533 { if (define_validatetrans((constraint_expr_t*)$3)) return -1; }
534 ;
535cexpr : '(' cexpr ')'
536 { $$ = $2; }
537 | NOT cexpr
538 { $$ = define_cexpr(CEXPR_NOT, $2, 0);
539 if ($$ == 0) return -1; }
540 | cexpr AND cexpr
541 { $$ = define_cexpr(CEXPR_AND, $1, $3);
542 if ($$ == 0) return -1; }
543 | cexpr OR cexpr
544 { $$ = define_cexpr(CEXPR_OR, $1, $3);
545 if ($$ == 0) return -1; }
546 | cexpr_prim
547 { $$ = $1; }
548 ;
549cexpr_prim : U1 op U2
550 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, $2);
551 if ($$ == 0) return -1; }
552 | R1 role_mls_op R2
553 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2);
554 if ($$ == 0) return -1; }
555 | T1 op T2
556 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2);
557 if ($$ == 0) return -1; }
558 | U1 op { if (insert_separator(1)) return -1; } names_push
559 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2);
560 if ($$ == 0) return -1; }
561 | U2 op { if (insert_separator(1)) return -1; } names_push
562 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2);
563 if ($$ == 0) return -1; }
564 | U3 op { if (insert_separator(1)) return -1; } names_push
565 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2);
566 if ($$ == 0) return -1; }
567 | R1 op { if (insert_separator(1)) return -1; } names_push
568 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, $2);
569 if ($$ == 0) return -1; }
570 | R2 op { if (insert_separator(1)) return -1; } names_push
571 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), $2);
572 if ($$ == 0) return -1; }
573 | R3 op { if (insert_separator(1)) return -1; } names_push
574 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_XTARGET), $2);
575 if ($$ == 0) return -1; }
576 | T1 op { if (insert_separator(1)) return -1; } names_push
577 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, $2);
578 if ($$ == 0) return -1; }
579 | T2 op { if (insert_separator(1)) return -1; } names_push
580 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), $2);
581 if ($$ == 0) return -1; }
582 | T3 op { if (insert_separator(1)) return -1; } names_push
583 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_XTARGET), $2);
584 if ($$ == 0) return -1; }
585 | SAMEUSER
586 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, CEXPR_EQ);
587 if ($$ == 0) return -1; }
588 | SOURCE ROLE { if (insert_separator(1)) return -1; } names_push
589 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, CEXPR_EQ);
590 if ($$ == 0) return -1; }
591 | TARGET ROLE { if (insert_separator(1)) return -1; } names_push
592 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), CEXPR_EQ);
593 if ($$ == 0) return -1; }
594 | ROLE role_mls_op
595 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2);
596 if ($$ == 0) return -1; }
597 | SOURCE TYPE { if (insert_separator(1)) return -1; } names_push
598 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, CEXPR_EQ);
599 if ($$ == 0) return -1; }
600 | TARGET TYPE { if (insert_separator(1)) return -1; } names_push
601 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), CEXPR_EQ);
602 if ($$ == 0) return -1; }
603 | L1 role_mls_op L2
604 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1L2, $2);
605 if ($$ == 0) return -1; }
606 | L1 role_mls_op H2
607 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H2, $2);
608 if ($$ == 0) return -1; }
609 | H1 role_mls_op L2
610 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1L2, $2);
611 if ($$ == 0) return -1; }
612 | H1 role_mls_op H2
613 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1H2, $2);
614 if ($$ == 0) return -1; }
615 | L1 role_mls_op H1
616 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H1, $2);
617 if ($$ == 0) return -1; }
618 | L2 role_mls_op H2
619 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L2H2, $2);
620 if ($$ == 0) return -1; }
621 ;
622op : EQUALS
623 { $$ = CEXPR_EQ; }
624 | NOTEQUAL
625 { $$ = CEXPR_NEQ; }
626 ;
627role_mls_op : op
628 { $$ = $1; }
629 | DOM
630 { $$ = CEXPR_DOM; }
631 | DOMBY
632 { $$ = CEXPR_DOMBY; }
633 | INCOMP
634 { $$ = CEXPR_INCOMP; }
635 ;
636users : user_def
637 | users user_def
638 ;
639user_def : USER identifier ROLES names opt_mls_user ';'
640 {if (define_user()) return -1;}
641 ;
642opt_mls_user : LEVEL mls_level_def RANGE mls_range_def
643 |
644 ;
645initial_sid_contexts : initial_sid_context_def
646 | initial_sid_contexts initial_sid_context_def
647 ;
648initial_sid_context_def : SID identifier security_context_def
649 {if (define_initial_sid_context()) return -1;}
650 ;
Paul Nuzzi79d10a82009-09-29 10:06:26 -0400[diff] [blame]651opt_dev_contexts : dev_contexts |
652 ;
653dev_contexts : dev_context_def
654 | dev_contexts dev_context_def
655 ;
656dev_context_def : pirq_context_def |
657 iomem_context_def |
658 ioport_context_def |
Daniel De Graaff0290672015-03-17 16:43:24 -0400[diff] [blame]659 pci_context_def |
660 dtree_context_def
Paul Nuzzi79d10a82009-09-29 10:06:26 -0400[diff] [blame]661 ;
662pirq_context_def : PIRQCON number security_context_def
663 {if (define_pirq_context($2)) return -1;}
664 ;
Daniel De Graaf82030de2015-03-17 16:43:23 -0400[diff] [blame]665iomem_context_def : IOMEMCON number64 security_context_def
Paul Nuzzi79d10a82009-09-29 10:06:26 -0400[diff] [blame]666 {if (define_iomem_context($2,$2)) return -1;}
Daniel De Graaf82030de2015-03-17 16:43:23 -0400[diff] [blame]667 | IOMEMCON number64 '-' number64 security_context_def
Paul Nuzzi79d10a82009-09-29 10:06:26 -0400[diff] [blame]668 {if (define_iomem_context($2,$4)) return -1;}
669 ;
670ioport_context_def : IOPORTCON number security_context_def
671 {if (define_ioport_context($2,$2)) return -1;}
672 | IOPORTCON number '-' number security_context_def
673 {if (define_ioport_context($2,$4)) return -1;}
674 ;
675pci_context_def : PCIDEVICECON number security_context_def
676 {if (define_pcidevice_context($2)) return -1;}
677 ;
Daniel De Graaff0290672015-03-17 16:43:24 -0400[diff] [blame]678dtree_context_def : DEVICETREECON path security_context_def
679 {if (define_devicetree_context()) return -1;}
680 ;
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]681opt_fs_contexts : fs_contexts
682 |
683 ;
684fs_contexts : fs_context_def
685 | fs_contexts fs_context_def
686 ;
687fs_context_def : FSCON number number security_context_def security_context_def
688 {if (define_fs_context($2,$3)) return -1;}
689 ;
690net_contexts : opt_port_contexts opt_netif_contexts opt_node_contexts
691 ;
692opt_port_contexts : port_contexts
693 |
694 ;
695port_contexts : port_context_def
696 | port_contexts port_context_def
697 ;
698port_context_def : PORTCON identifier number security_context_def
699 {if (define_port_context($3,$3)) return -1;}
700 | PORTCON identifier number '-' number security_context_def
701 {if (define_port_context($3,$5)) return -1;}
702 ;
703opt_netif_contexts : netif_contexts
704 |
705 ;
706netif_contexts : netif_context_def
707 | netif_contexts netif_context_def
708 ;
709netif_context_def : NETIFCON identifier security_context_def security_context_def
710 {if (define_netif_context()) return -1;}
711 ;
712opt_node_contexts : node_contexts
713 |
714 ;
715node_contexts : node_context_def
716 | node_contexts node_context_def
717 ;
718node_context_def : NODECON ipv4_addr_def ipv4_addr_def security_context_def
719 {if (define_ipv4_node_context()) return -1;}
720 | NODECON ipv6_addr ipv6_addr security_context_def
721 {if (define_ipv6_node_context()) return -1;}
722 ;
723opt_fs_uses : fs_uses
724 |
725 ;
726fs_uses : fs_use_def
727 | fs_uses fs_use_def
728 ;
Eric Parisfdeecca2011-11-02 13:03:59 -0400[diff] [blame]729fs_use_def : FSUSEXATTR filesystem security_context_def ';'
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]730 {if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;}
731 | FSUSETASK identifier security_context_def ';'
732 {if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;}
733 | FSUSETRANS identifier security_context_def ';'
734 {if (define_fs_use(SECURITY_FS_USE_TRANS)) return -1;}
735 ;
736opt_genfs_contexts : genfs_contexts
737 |
738 ;
739genfs_contexts : genfs_context_def
740 | genfs_contexts genfs_context_def
741 ;
Eric Parisfdeecca2011-11-02 13:03:59 -0400[diff] [blame]742genfs_context_def : GENFSCON filesystem path '-' identifier security_context_def
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]743 {if (define_genfs_context(1)) return -1;}
Eric Parisfdeecca2011-11-02 13:03:59 -0400[diff] [blame]744 | GENFSCON filesystem path '-' '-' {insert_id("-", 0);} security_context_def
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]745 {if (define_genfs_context(1)) return -1;}
Eric Parisfdeecca2011-11-02 13:03:59 -0400[diff] [blame]746 | GENFSCON filesystem path security_context_def
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]747 {if (define_genfs_context(0)) return -1;}
748 ;
749ipv4_addr_def : IPV4_ADDR
750 { if (insert_id(yytext,0)) return -1; }
751 ;
Jeff Vander Stoep80bc7ee2015-04-22 13:53:25 -0700[diff] [blame]752operations : operation
753 { if (insert_separator(0)) return -1; }
754 | nested_operation_set
755 { if (insert_separator(0)) return -1; }
756 | tilde operation
757 { if (insert_id("~", 0)) return -1; }
758 | tilde nested_operation_set
759 { if (insert_id("~", 0)) return -1;
760 if (insert_separator(0)) return -1; }
761 ;
762nested_operation_set : '{' nested_operation_list '}'
763 ;
764nested_operation_list : nested_operation_element
765 | nested_operation_list nested_operation_element
766 ;
767nested_operation_element: operation '-' { if (insert_id("-", 0)) return -1; } operation
768 | operation
769 | nested_operation_set
770 ;
771operation : number
772 { if (insert_id(yytext,0)) return -1; }
773 ;
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]774security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def
775 ;
776opt_mls_range_def : ':' mls_range_def
777 |
778 ;
779mls_range_def : mls_level_def '-' mls_level_def
780 {if (insert_separator(0)) return -1;}
781 | mls_level_def
782 {if (insert_separator(0)) return -1;}
783 ;
784mls_level_def : identifier ':' id_comma_list
785 {if (insert_separator(0)) return -1;}
786 | identifier
787 {if (insert_separator(0)) return -1;}
788 ;
789id_comma_list : identifier
790 | id_comma_list ',' identifier
791 ;
792tilde : '~'
793 ;
794asterisk : '*'
795 ;
796names : identifier
797 { if (insert_separator(0)) return -1; }
798 | nested_id_set
799 { if (insert_separator(0)) return -1; }
800 | asterisk
801 { if (insert_id("*", 0)) return -1;
802 if (insert_separator(0)) return -1; }
803 | tilde identifier
804 { if (insert_id("~", 0)) return -1;
805 if (insert_separator(0)) return -1; }
806 | tilde nested_id_set
807 { if (insert_id("~", 0)) return -1;
808 if (insert_separator(0)) return -1; }
809 | identifier '-' { if (insert_id("-", 0)) return -1; } identifier
810 { if (insert_separator(0)) return -1; }
811 ;
812tilde_push : tilde
813 { if (insert_id("~", 1)) return -1; }
814 ;
815asterisk_push : asterisk
816 { if (insert_id("*", 1)) return -1; }
817 ;
818names_push : identifier_push
819 | '{' identifier_list_push '}'
820 | asterisk_push
821 | tilde_push identifier_push
822 | tilde_push '{' identifier_list_push '}'
823 ;
824identifier_list_push : identifier_push
825 | identifier_list_push identifier_push
826 ;
827identifier_push : IDENTIFIER
828 { if (insert_id(yytext, 1)) return -1; }
829 ;
830identifier_list : identifier
831 | identifier_list identifier
832 ;
833nested_id_set : '{' nested_id_list '}'
834 ;
835nested_id_list : nested_id_element | nested_id_list nested_id_element
836 ;
837nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; } identifier | nested_id_set
838 ;
839identifier : IDENTIFIER
840 { if (insert_id(yytext,0)) return -1; }
841 ;
Eric Parisfdeecca2011-11-02 13:03:59 -0400[diff] [blame]842filesystem : FILESYSTEM
843 { if (insert_id(yytext,0)) return -1; }
Dan Walshd72a9ec2011-04-12 09:54:46 -0400[diff] [blame]844 | IDENTIFIER
845 { if (insert_id(yytext,0)) return -1; }
846 ;
Eric Parisfdeecca2011-11-02 13:03:59 -0400[diff] [blame]847path : PATH
848 { if (insert_id(yytext,0)) return -1; }
Daniel De Graafaab2d9f2015-03-17 16:43:22 -0400[diff] [blame]849 | QPATH
850 { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; }
Eric Parisfdeecca2011-11-02 13:03:59 -0400[diff] [blame]851 ;
852filename : FILENAME
853 { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; }
854 ;
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]855number : NUMBER
856 { $$ = strtoul(yytext,NULL,0); }
857 ;
Daniel De Graaf82030de2015-03-17 16:43:23 -0400[diff] [blame]858number64 : NUMBER
859 { $$ = strtoull(yytext,NULL,0); }
860 ;
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]861ipv6_addr : IPV6_ADDR
862 { if (insert_id(yytext,0)) return -1; }
863 ;
864policycap_def : POLICYCAP identifier ';'
865 {if (define_polcap()) return -1;}
866 ;
867permissive_def : PERMISSIVE identifier ';'
868 {if (define_permissive()) return -1;}
869
870/*********** module grammar below ***********/
871
872module_policy : module_def avrules_block
873 { if (end_avrule_block(pass) == -1) return -1;
874 if (policydb_index_others(NULL, policydbp, 0)) return -1;
875 }
876 ;
877module_def : MODULE identifier version_identifier ';'
878 { if (define_policy(pass, 1) == -1) return -1; }
879 ;
880version_identifier : VERSION_IDENTIFIER
881 { if (insert_id(yytext,0)) return -1; }
Daniel J Walshc61b6932011-04-29 15:41:16 -0400[diff] [blame]882 | number
883 { if (insert_id(yytext,0)) return -1; }
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]884 | ipv4_addr_def /* version can look like ipv4 address */
885 ;
886avrules_block : avrule_decls avrule_user_defs
887 ;
888avrule_decls : avrule_decls avrule_decl
889 | avrule_decl
890 ;
891avrule_decl : rbac_decl
892 | te_decl
893 | cond_stmt_def
894 | require_block
895 | optional_block
896 | ';'
897 ;
898require_block : REQUIRE '{' require_list '}'
899 ;
900require_list : require_list require_decl
901 | require_decl
902 ;
903require_decl : require_class ';'
904 | require_decl_def require_id_list ';'
905 ;
906require_class : CLASS identifier names
907 { if (require_class(pass)) return -1; }
908 ;
909require_decl_def : ROLE { $$ = require_role; }
910 | TYPE { $$ = require_type; }
911 | ATTRIBUTE { $$ = require_attribute; }
Harry Ciao16675b72011-07-25 09:23:54 +0800[diff] [blame]912 | ATTRIBUTE_ROLE { $$ = require_attribute_role; }
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]913 | USER { $$ = require_user; }
914 | BOOL { $$ = require_bool; }
Harry Ciao80f26c52011-09-01 11:29:41 +0800[diff] [blame]915 | TUNABLE { $$ = require_tunable; }
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]916 | SENSITIVITY { $$ = require_sens; }
917 | CATEGORY { $$ = require_cat; }
918 ;
919require_id_list : identifier
920 { if ($<require_func>0 (pass)) return -1; }
921 | require_id_list ',' identifier
922 { if ($<require_func>0 (pass)) return -1; }
923 ;
924optional_block : optional_decl '{' avrules_block '}'
925 { if (end_avrule_block(pass) == -1) return -1; }
926 optional_else
927 { if (end_optional(pass) == -1) return -1; }
928 ;
929optional_else : else_decl '{' avrules_block '}'
930 { if (end_avrule_block(pass) == -1) return -1; }
931 | /* empty */
932 ;
933optional_decl : OPTIONAL
934 { if (begin_optional(pass) == -1) return -1; }
935 ;
936else_decl : ELSE
937 { if (begin_optional_else(pass) == -1) return -1; }
938 ;
939avrule_user_defs : user_def avrule_user_defs
940 | /* empty */
941 ;