# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2006-2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# OVERVIEW
#
#
# This is a parser for the refpolicy policy "language" - i.e., the
# normal SELinux policy language plus the refpolicy style M4 macro
# constructs on top of that base language. This parser is primarily
# aimed at parsing the policy headers in order to create an abstract
# policy representation suitable for generating policy.
#
# Both the lexer and parser are included in this file. The are implemented
# using the Ply library (included with sepolgen).
import sys
import os
import re
import traceback
from . import access
from . import defaults
from . import lex
from . import refpolicy
from . import yacc
# :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
#
# lexer
#
# :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
tokens = (
# basic tokens, punctuation
'TICK',
'SQUOTE',
'OBRACE',
'CBRACE',
'SEMI',
'COLON',
'OPAREN',
'CPAREN',
'COMMA',
'MINUS',
'TILDE',
'ASTERISK',
'AMP',
'BAR',
'EXPL',
'EQUAL',
'FILENAME',
'IDENTIFIER',
'NUMBER',
'PATH',
'IPV6_ADDR',
# reserved words
# module
'MODULE',
'POLICY_MODULE',
'REQUIRE',
# flask
'SID',
'GENFSCON',
'FS_USE_XATTR',
'FS_USE_TRANS',
'FS_USE_TASK',
'PORTCON',
'NODECON',
'NETIFCON',
'PIRQCON',
'IOMEMCON',
'IOPORTCON',
'PCIDEVICECON',
'DEVICETREECON',
# object classes
'CLASS',
# types and attributes
'TYPEATTRIBUTE',
'ROLEATTRIBUTE',
'TYPE',
'ATTRIBUTE',
'ATTRIBUTE_ROLE',
'ALIAS',
'TYPEALIAS',
# conditional policy
'BOOL',
'TRUE',
'FALSE',
'IF',
'ELSE',
# users and roles
'ROLE',
'TYPES',
# rules
'ALLOW',
'DONTAUDIT',
'AUDITALLOW',
'NEVERALLOW',
'PERMISSIVE',
'TYPE_TRANSITION',
'TYPE_CHANGE',
'TYPE_MEMBER',
'RANGE_TRANSITION',
'ROLE_TRANSITION',
# refpolicy keywords
'OPT_POLICY',
'INTERFACE',
'TUNABLE_POLICY',
'GEN_REQ',
'TEMPLATE',
'GEN_CONTEXT',
# m4
'IFELSE',
'IFDEF',
'IFNDEF',
'DEFINE'
)
# All reserved keywords - see t_IDENTIFIER for how these are matched in
# the lexer.
reserved = {
# module
'module' : 'MODULE',
'policy_module' : 'POLICY_MODULE',
'require' : 'REQUIRE',
# flask
'sid' : 'SID',
'genfscon' : 'GENFSCON',
'fs_use_xattr' : 'FS_USE_XATTR',
'fs_use_trans' : 'FS_USE_TRANS',
'fs_use_task' : 'FS_USE_TASK',
'portcon' : 'PORTCON',
'nodecon' : 'NODECON',
'netifcon' : 'NETIFCON',
'pirqcon' : 'PIRQCON',
'iomemcon' : 'IOMEMCON',
'ioportcon' : 'IOPORTCON',
'pcidevicecon' : 'PCIDEVICECON',
'devicetreecon' : 'DEVICETREECON',
# object classes
'class' : 'CLASS',
# types and attributes
'typeattribute' : 'TYPEATTRIBUTE',
'roleattribute' : 'ROLEATTRIBUTE',
'type' : 'TYPE',
'attribute' : 'ATTRIBUTE',
'attribute_role' : 'ATTRIBUTE_ROLE',
'alias' : 'ALIAS',
'typealias' : 'TYPEALIAS',
# conditional policy
'bool' : 'BOOL',
'true' : 'TRUE',
'false' : 'FALSE',
'if' : 'IF',
'else' : 'ELSE',
# users and roles
'role' : 'ROLE',
'types' : 'TYPES',
# rules
'allow' : 'ALLOW',
'dontaudit' : 'DONTAUDIT',
'auditallow' : 'AUDITALLOW',
'neverallow' : 'NEVERALLOW',
'permissive' : 'PERMISSIVE',
'type_transition' : 'TYPE_TRANSITION',
'type_change' : 'TYPE_CHANGE',
'type_member' : 'TYPE_MEMBER',
'range_transition' : 'RANGE_TRANSITION',
'role_transition' : 'ROLE_TRANSITION',
# refpolicy keywords
'optional_policy' : 'OPT_POLICY',
'interface' : 'INTERFACE',
'tunable_policy' : 'TUNABLE_POLICY',
'gen_require' : 'GEN_REQ',
'template' : 'TEMPLATE',
'gen_context' : 'GEN_CONTEXT',
# M4
'ifelse' : 'IFELSE',
'ifndef' : 'IFNDEF',
'ifdef' : 'IFDEF',
'define' : 'DEFINE'
}
# The ply lexer allows definition of tokens in 2 ways: regular expressions
# or functions.
# Simple regex tokens
t_TICK = r'\`'
t_SQUOTE = r'\''
t_OBRACE = r'\{'
t_CBRACE = r'\}'
# This will handle spurios extra ';' via the +
t_SEMI = r'\;+'
t_COLON = r'\:'
t_OPAREN = r'\('
t_CPAREN = r'\)'
t_COMMA = r'\,'
t_MINUS = r'\-'
t_TILDE = r'\~'
t_ASTERISK = r'\*'
t_AMP = r'\&'
t_BAR = r'\|'
t_EXPL = r'\!'
t_EQUAL = r'\='
t_NUMBER = r'[0-9\.]+'
t_PATH = r'/[a-zA-Z0-9)_\.\*/\$]*'
#t_IPV6_ADDR = r'[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:([a-fA-F0-9]{0,4}:)*'
# Ignore whitespace - this is a special token for ply that more efficiently
# ignores uninteresting tokens.
t_ignore = " \t"
# More complex tokens
def t_IPV6_ADDR(t):
r'[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:([a-fA-F0-9]|:)*'
# This is a function simply to force it sooner into
# the regex list
return t
def t_m4comment(t):
r'dnl.*\n'
# Ignore all comments
t.lexer.lineno += 1
def t_refpolicywarn1(t):
r'define.*refpolicywarn\(.*\n'
# Ignore refpolicywarn statements - they sometimes
# contain text that we can't parse.
t.skip(1)
def t_refpolicywarn(t):
r'refpolicywarn\(.*\n'
# Ignore refpolicywarn statements - they sometimes
# contain text that we can't parse.
t.lexer.lineno += 1
def t_IDENTIFIER(t):
r'[a-zA-Z_\$][a-zA-Z0-9_\-\+\.\$\*~]*'
# Handle any keywords
t.type = reserved.get(t.value,'IDENTIFIER')
return t
def t_FILENAME(t):
r'\"[a-zA-Z0-9_\-\+\.\$\*~ :]+\"'
# Handle any keywords
t.type = reserved.get(t.value,'FILENAME')
return t
def t_comment(t):
r'\#.*\n'
# Ignore all comments
t.lexer.lineno += 1
def t_error(t):
print("Illegal character '%s'" % t.value[0])
t.skip(1)
def t_newline(t):
r'\n+'
t.lexer.lineno += len(t.value)
# :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
#
# Parser
#
# :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
# Global data used during parsing - making it global is easier than
# passing the state through the parsing functions.
# m is the top-level data structure (stands for modules).
m = None
# error is either None (indicating no error) or a string error message.
error = None
parse_file = ""
# spt is the support macros (e.g., obj/perm sets) - it is an instance of
# refpolicy.SupportMacros and should always be present during parsing
# though it may not contain any macros.
spt = None
success = True
# utilities
def collect(stmts, parent, val=None):
if stmts is None:
return
for s in stmts:
if s is None:
continue
s.parent = parent
if val is not None:
parent.children.insert(0, (val, s))
else:
parent.children.insert(0, s)
def expand(ids, s):
for id in ids:
if spt.has_key(id):
s.update(spt.by_name(id))
else:
s.add(id)
# Top-level non-terminal
def p_statements(p):
'''statements : statement
| statements statement
| empty
'''
if len(p) == 2 and p[1]:
m.children.append(p[1])
elif len(p) > 2 and p[2]:
m.children.append(p[2])
def p_statement(p):
'''statement : interface
| template
| obj_perm_set
| policy
| policy_module_stmt
| module_stmt
'''
p[0] = p[1]
def p_empty(p):
'empty :'
pass
#
# Reference policy language constructs
#
# This is for the policy module statement (e.g., policy_module(foo,1.2.0)).
# We have a separate terminal for either the basic language module statement
# and interface calls to make it easier to identifier.
def p_policy_module_stmt(p):
'policy_module_stmt : POLICY_MODULE OPAREN IDENTIFIER COMMA NUMBER CPAREN'
m = refpolicy.ModuleDeclaration()
m.name = p[3]
m.version = p[5]
m.refpolicy = True
p[0] = m
def p_interface(p):
'''interface : INTERFACE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
'''
x = refpolicy.Interface(p[4])
collect(p[8], x)
p[0] = x
def p_template(p):
'''template : TEMPLATE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
| DEFINE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
'''
x = refpolicy.Template(p[4])
collect(p[8], x)
p[0] = x
def p_define(p):
'''define : DEFINE OPAREN TICK IDENTIFIER SQUOTE CPAREN'''
# This is for defining single M4 values (to be used later in ifdef statements).
# Example: define(`sulogin_no_pam'). We don't currently do anything with these
# but we should in the future when we correctly resolve ifdef statements.
p[0] = None
def p_interface_stmts(p):
'''interface_stmts : policy
| interface_stmts policy
| empty
'''
if len(p) == 2 and p[1]:
p[0] = p[1]
elif len(p) > 2:
if not p[1]:
if p[2]:
p[0] = p[2]
elif not p[2]:
p[0] = p[1]
else:
p[0] = p[1] + p[2]
def p_optional_policy(p):
'''optional_policy : OPT_POLICY OPAREN TICK interface_stmts SQUOTE CPAREN
| OPT_POLICY OPAREN TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
'''
o = refpolicy.OptionalPolicy()
collect(p[4], o, val=True)
if len(p) > 7:
collect(p[8], o, val=False)
p[0] = [o]
def p_tunable_policy(p):
'''tunable_policy : TUNABLE_POLICY OPAREN TICK cond_expr SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
| TUNABLE_POLICY OPAREN TICK cond_expr SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
'''
x = refpolicy.TunablePolicy()
x.cond_expr = p[4]
collect(p[8], x, val=True)
if len(p) > 11:
collect(p[12], x, val=False)
p[0] = [x]
def p_ifelse(p):
'''ifelse : IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
| IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
| IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
'''
# x = refpolicy.IfDef(p[4])
# v = True
# collect(p[8], x, val=v)
# if len(p) > 12:
# collect(p[12], x, val=False)
# p[0] = [x]
pass
def p_ifdef(p):
'''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
| IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
| IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
'''
x = refpolicy.IfDef(p[4])
if p[1] == 'ifdef':
v = True
else:
v = False
collect(p[8], x, val=v)
if len(p) > 12:
collect(p[12], x, val=False)
p[0] = [x]
def p_interface_call(p):
'''interface_call : IDENTIFIER OPAREN interface_call_param_list CPAREN
| IDENTIFIER OPAREN CPAREN
| IDENTIFIER OPAREN interface_call_param_list CPAREN SEMI'''
# Allow spurious semi-colons at the end of interface calls
i = refpolicy.InterfaceCall(ifname=p[1])
if len(p) > 4:
i.args.extend(p[3])
p[0] = i
def p_interface_call_param(p):
'''interface_call_param : IDENTIFIER
| IDENTIFIER MINUS IDENTIFIER
| nested_id_set
| TRUE
| FALSE
| FILENAME
'''
# Intentionally let single identifiers pass through
# List means set, non-list identifier
if len(p) == 2:
p[0] = p[1]
else:
p[0] = [p[1], "-" + p[3]]
def p_interface_call_param_list(p):
'''interface_call_param_list : interface_call_param
| interface_call_param_list COMMA interface_call_param
'''
if len(p) == 2:
p[0] = [p[1]]
else:
p[0] = p[1] + [p[3]]
def p_obj_perm_set(p):
'obj_perm_set : DEFINE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK names SQUOTE CPAREN'
s = refpolicy.ObjPermSet(p[4])
s.perms = p[8]
p[0] = s
#
# Basic SELinux policy language
#
def p_policy(p):
'''policy : policy_stmt
| optional_policy
| tunable_policy
| ifdef
| ifelse
| conditional
'''
p[0] = p[1]
def p_policy_stmt(p):
'''policy_stmt : gen_require
| avrule_def
| typerule_def
| typeattribute_def
| roleattribute_def
| interface_call
| role_def
| role_allow
| permissive
| type_def
| typealias_def
| attribute_def
| attribute_role_def
| range_transition_def
| role_transition_def
| bool
| define
| initial_sid
| genfscon
| fs_use
| portcon
| nodecon
| netifcon
| pirqcon
| iomemcon
| ioportcon
| pcidevicecon
| devicetreecon
'''
if p[1]:
p[0] = [p[1]]
def p_module_stmt(p):
'module_stmt : MODULE IDENTIFIER NUMBER SEMI'
m = refpolicy.ModuleDeclaration()
m.name = p[2]
m.version = p[3]
m.refpolicy = False
p[0] = m
def p_gen_require(p):
'''gen_require : GEN_REQ OPAREN TICK requires SQUOTE CPAREN
| REQUIRE OBRACE requires CBRACE'''
# We ignore the require statements - they are redundant data from our point-of-view.
# Checkmodule will verify them later anyway so we just assume that they match what
# is in the rest of the interface.
pass
def p_requires(p):
'''requires : require
| requires require
| ifdef
| requires ifdef
'''
pass
def p_require(p):
'''require : TYPE comma_list SEMI
| ROLE comma_list SEMI
| ATTRIBUTE comma_list SEMI
| ATTRIBUTE_ROLE comma_list SEMI
| CLASS comma_list SEMI
| BOOL comma_list SEMI
'''
pass
def p_security_context(p):
'''security_context : IDENTIFIER COLON IDENTIFIER COLON IDENTIFIER
| IDENTIFIER COLON IDENTIFIER COLON IDENTIFIER COLON mls_range_def'''
# This will likely need some updates to handle complex levels
s = refpolicy.SecurityContext()
s.user = p[1]
s.role = p[3]
s.type = p[5]
if len(p) > 6:
s.level = p[7]
p[0] = s
def p_gen_context(p):
'''gen_context : GEN_CONTEXT OPAREN security_context COMMA mls_range_def CPAREN
'''
# We actually store gen_context statements in a SecurityContext
# object - it knows how to output either a bare context or a
# gen_context statement.
s = p[3]
s.level = p[5]
p[0] = s
def p_context(p):
'''context : security_context
| gen_context
'''
p[0] = p[1]
def p_initial_sid(p):
'''initial_sid : SID IDENTIFIER context'''
s = refpolicy.InitialSid()
s.name = p[2]
s.context = p[3]
p[0] = s
def p_genfscon(p):
'''genfscon : GENFSCON IDENTIFIER PATH context'''
g = refpolicy.GenfsCon()
g.filesystem = p[2]
g.path = p[3]
g.context = p[4]
p[0] = g
def p_fs_use(p):
'''fs_use : FS_USE_XATTR IDENTIFIER context SEMI
| FS_USE_TASK IDENTIFIER context SEMI
| FS_USE_TRANS IDENTIFIER context SEMI
'''
f = refpolicy.FilesystemUse()
if p[1] == "fs_use_xattr":
f.type = refpolicy.FilesystemUse.XATTR
elif p[1] == "fs_use_task":
f.type = refpolicy.FilesystemUse.TASK
elif p[1] == "fs_use_trans":
f.type = refpolicy.FilesystemUse.TRANS
f.filesystem = p[2]
f.context = p[3]
p[0] = f
def p_portcon(p):
'''portcon : PORTCON IDENTIFIER NUMBER context
| PORTCON IDENTIFIER NUMBER MINUS NUMBER context'''
c = refpolicy.PortCon()
c.port_type = p[2]
if len(p) == 5:
c.port_number = p[3]
c.context = p[4]
else:
c.port_number = p[3] + "-" + p[4]
c.context = p[5]
p[0] = c
def p_nodecon(p):
'''nodecon : NODECON NUMBER NUMBER context
| NODECON IPV6_ADDR IPV6_ADDR context
'''
n = refpolicy.NodeCon()
n.start = p[2]
n.end = p[3]
n.context = p[4]
p[0] = n
def p_netifcon(p):
'netifcon : NETIFCON IDENTIFIER context context'
n = refpolicy.NetifCon()
n.interface = p[2]
n.interface_context = p[3]
n.packet_context = p[4]
p[0] = n
def p_pirqcon(p):
'pirqcon : PIRQCON NUMBER context'
c = refpolicy.PirqCon()
c.pirq_number = p[2]
c.context = p[3]
p[0] = c
def p_iomemcon(p):
'''iomemcon : IOMEMCON NUMBER context
| IOMEMCON NUMBER MINUS NUMBER context'''
c = refpolicy.IomemCon()
if len(p) == 4:
c.device_mem = p[2]
c.context = p[3]
else:
c.device_mem = p[2] + "-" + p[3]
c.context = p[4]
p[0] = c
def p_ioportcon(p):
'''ioportcon : IOPORTCON NUMBER context
| IOPORTCON NUMBER MINUS NUMBER context'''
c = refpolicy.IoportCon()
if len(p) == 4:
c.ioport = p[2]
c.context = p[3]
else:
c.ioport = p[2] + "-" + p[3]
c.context = p[4]
p[0] = c
def p_pcidevicecon(p):
'pcidevicecon : PCIDEVICECON NUMBER context'
c = refpolicy.PciDeviceCon()
c.device = p[2]
c.context = p[3]
p[0] = c
def p_devicetreecon(p):
'devicetreecon : DEVICETREECON NUMBER context'
c = refpolicy.DevicetTeeCon()
c.path = p[2]
c.context = p[3]
p[0] = c
def p_mls_range_def(p):
'''mls_range_def : mls_level_def MINUS mls_level_def
| mls_level_def
'''
p[0] = p[1]
if len(p) > 2:
p[0] = p[0] + "-" + p[3]
def p_mls_level_def(p):
'''mls_level_def : IDENTIFIER COLON comma_list
| IDENTIFIER
'''
p[0] = p[1]
if len(p) > 2:
p[0] = p[0] + ":" + ",".join(p[3])
def p_type_def(p):
'''type_def : TYPE IDENTIFIER COMMA comma_list SEMI
| TYPE IDENTIFIER SEMI
| TYPE IDENTIFIER ALIAS names SEMI
| TYPE IDENTIFIER ALIAS names COMMA comma_list SEMI
'''
t = refpolicy.Type(p[2])
if len(p) == 6:
if p[3] == ',':
t.attributes.update(p[4])
else:
t.aliases = p[4]
elif len(p) > 4:
t.aliases = p[4]
if len(p) == 8:
t.attributes.update(p[6])
p[0] = t
def p_attribute_def(p):
'attribute_def : ATTRIBUTE IDENTIFIER SEMI'
a = refpolicy.Attribute(p[2])
p[0] = a
def p_attribute_role_def(p):
'attribute_role_def : ATTRIBUTE_ROLE IDENTIFIER SEMI'
a = refpolicy.Attribute_Role(p[2])
p[0] = a
def p_typealias_def(p):
'typealias_def : TYPEALIAS IDENTIFIER ALIAS names SEMI'
t = refpolicy.TypeAlias()
t.type = p[2]
t.aliases = p[4]
p[0] = t
def p_role_def(p):
'''role_def : ROLE IDENTIFIER TYPES comma_list SEMI
| ROLE IDENTIFIER SEMI'''
r = refpolicy.Role()
r.role = p[2]
if len(p) > 4:
r.types.update(p[4])
p[0] = r
def p_role_allow(p):
'role_allow : ALLOW names names SEMI'
r = refpolicy.RoleAllow()
r.src_roles = p[2]
r.tgt_roles = p[3]
p[0] = r
def p_permissive(p):
'permissive : PERMISSIVE names SEMI'
t.skip(1)
def p_avrule_def(p):
'''avrule_def : ALLOW names names COLON names names SEMI
| DONTAUDIT names names COLON names names SEMI
| AUDITALLOW names names COLON names names SEMI
| NEVERALLOW names names COLON names names SEMI
'''
a = refpolicy.AVRule()
if p[1] == 'dontaudit':
a.rule_type = refpolicy.AVRule.DONTAUDIT
elif p[1] == 'auditallow':
a.rule_type = refpolicy.AVRule.AUDITALLOW
elif p[1] == 'neverallow':
a.rule_type = refpolicy.AVRule.NEVERALLOW
a.src_types = p[2]
a.tgt_types = p[3]
a.obj_classes = p[5]
a.perms = p[6]
p[0] = a
def p_typerule_def(p):
'''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI
| TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI
| TYPE_TRANSITION names names COLON names IDENTIFIER IDENTIFIER SEMI
| TYPE_CHANGE names names COLON names IDENTIFIER SEMI
| TYPE_MEMBER names names COLON names IDENTIFIER SEMI
'''
t = refpolicy.TypeRule()
if p[1] == 'type_change':
t.rule_type = refpolicy.TypeRule.TYPE_CHANGE
elif p[1] == 'type_member':
t.rule_type = refpolicy.TypeRule.TYPE_MEMBER
t.src_types = p[2]
t.tgt_types = p[3]
t.obj_classes = p[5]
t.dest_type = p[6]
t.file_name = p[7]
p[0] = t
def p_bool(p):
'''bool : BOOL IDENTIFIER TRUE SEMI
| BOOL IDENTIFIER FALSE SEMI'''
b = refpolicy.Bool()
b.name = p[2]
if p[3] == "true":
b.state = True
else:
b.state = False
p[0] = b
def p_conditional(p):
''' conditional : IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE
| IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE ELSE OBRACE interface_stmts CBRACE
'''
c = refpolicy.Conditional()
c.cond_expr = p[3]
collect(p[6], c, val=True)
if len(p) > 8:
collect(p[10], c, val=False)
p[0] = [c]
def p_typeattribute_def(p):
'''typeattribute_def : TYPEATTRIBUTE IDENTIFIER comma_list SEMI'''
t = refpolicy.TypeAttribute()
t.type = p[2]
t.attributes.update(p[3])
p[0] = t
def p_roleattribute_def(p):
'''roleattribute_def : ROLEATTRIBUTE IDENTIFIER comma_list SEMI'''
t = refpolicy.RoleAttribute()
t.role = p[2]
t.roleattributes.update(p[3])
p[0] = t
def p_range_transition_def(p):
'''range_transition_def : RANGE_TRANSITION names names COLON names mls_range_def SEMI
| RANGE_TRANSITION names names names SEMI'''
pass
def p_role_transition_def(p):
'''role_transition_def : ROLE_TRANSITION names names names SEMI'''
pass
def p_cond_expr(p):
'''cond_expr : IDENTIFIER
| EXPL cond_expr
| cond_expr AMP AMP cond_expr
| cond_expr BAR BAR cond_expr
| cond_expr EQUAL EQUAL cond_expr
| cond_expr EXPL EQUAL cond_expr
'''
l = len(p)
if l == 2:
p[0] = [p[1]]
elif l == 3:
p[0] = [p[1]] + p[2]
else:
p[0] = p[1] + [p[2] + p[3]] + p[4]
#
# Basic terminals
#
# Identifiers and lists of identifiers. These must
# be handled somewhat gracefully. Names returns an IdSet and care must
# be taken that this is _assigned_ to an object to correctly update
# all of the flags (as opposed to using update). The other terminals
# return list - this is to preserve ordering if it is important for
# parsing (for example, interface_call must retain the ordering). Other
# times the list should be used to update an IdSet.
def p_names(p):
'''names : identifier
| nested_id_set
| asterisk
| TILDE identifier
| TILDE nested_id_set
| IDENTIFIER MINUS IDENTIFIER
'''
s = refpolicy.IdSet()
if len(p) < 3:
expand(p[1], s)
elif len(p) == 3:
expand(p[2], s)
s.compliment = True
else:
expand([p[1]])
s.add("-" + p[3])
p[0] = s
def p_identifier(p):
'identifier : IDENTIFIER'
p[0] = [p[1]]
def p_asterisk(p):
'asterisk : ASTERISK'
p[0] = [p[1]]
def p_nested_id_set(p):
'''nested_id_set : OBRACE nested_id_list CBRACE
'''
p[0] = p[2]
def p_nested_id_list(p):
'''nested_id_list : nested_id_element
| nested_id_list nested_id_element
'''
if len(p) == 2:
p[0] = p[1]
else:
p[0] = p[1] + p[2]
def p_nested_id_element(p):
'''nested_id_element : identifier
| MINUS IDENTIFIER
| nested_id_set
'''
if len(p) == 2:
p[0] = p[1]
else:
# For now just leave the '-'
str = "-" + p[2]
p[0] = [str]
def p_comma_list(p):
'''comma_list : nested_id_list
| comma_list COMMA nested_id_list
'''
if len(p) > 2:
p[1] = p[1] + p[3]
p[0] = p[1]
def p_optional_semi(p):
'''optional_semi : SEMI
| empty'''
pass
#
# Interface to the parser
#
def p_error(tok):
global error, parse_file, success, parser
error = "%s: Syntax error on line %d %s [type=%s]" % (parse_file, tok.lineno, tok.value, tok.type)
print(error)
success = False
def prep_spt(spt):
if not spt:
return { }
map = {}
for x in spt:
map[x.name] = x
parser = None
lexer = None
def create_globals(module, support, debug):
global parser, lexer, m, spt
if not parser:
lexer = lex.lex()
parser = yacc.yacc(method="LALR", debug=debug, write_tables=0)
if module is not None:
m = module
else:
m = refpolicy.Module()
if not support:
spt = refpolicy.SupportMacros()
else:
spt = support
def parse(text, module=None, support=None, debug=False):
create_globals(module, support, debug)
global error, parser, lexer, success
lexer.lineno = 1
success = True
try:
parser.parse(text, debug=debug, lexer=lexer)
except Exception as e:
parser = None
lexer = None
error = "internal parser error: %s" % str(e) + "\n" + traceback.format_exc()
if not success:
# force the parser and lexer to be rebuilt - we have some problems otherwise
parser = None
msg = 'could not parse text: "%s"' % error
raise ValueError(msg)
return m
def list_headers(root):
modules = []
support_macros = None
for dirpath, dirnames, filenames in os.walk(root):
for name in filenames:
modname = os.path.splitext(name)
filename = os.path.join(dirpath, name)
if modname[1] == '.spt':
if name == "obj_perm_sets.spt":
support_macros = filename
elif len(re.findall("patterns", modname[0])):
modules.append((modname[0], filename))
elif modname[1] == '.if':
modules.append((modname[0], filename))
return (modules, support_macros)
def parse_headers(root, output=None, expand=True, debug=False):
from . import util
headers = refpolicy.Headers()
modules = []
support_macros = None
if os.path.isfile(root):
name = os.path.split(root)[1]
if name == '':
raise ValueError("Invalid file name %s" % root)
modname = os.path.splitext(name)
modules.append((modname[0], root))
all_modules, support_macros = list_headers(defaults.headers())
else:
modules, support_macros = list_headers(root)
if expand and not support_macros:
raise ValueError("could not find support macros (obj_perm_sets.spt)")
def o(msg):
if output:
output.write(msg)
def parse_file(f, module, spt=None):
global parse_file
if debug:
o("parsing file %s\n" % f)
try:
fd = open(f)
txt = fd.read()
fd.close()
parse_file = f
parse(txt, module, spt, debug)
except IOError as e:
return
except ValueError as e:
raise ValueError("error parsing file %s: %s" % (f, str(e)))
spt = None
if support_macros:
o("Parsing support macros (%s): " % support_macros)
spt = refpolicy.SupportMacros()
parse_file(support_macros, spt)
headers.children.append(spt)
# FIXME: Total hack - add in can_exec rather than parse the insanity
# of misc_macros. We are just going to pretend that this is an interface
# to make the expansion work correctly.
can_exec = refpolicy.Interface("can_exec")
av = access.AccessVector(["$1","$2","file","execute_no_trans","open", "read",
"getattr","lock","execute","ioctl"])
can_exec.children.append(refpolicy.AVRule(av))
headers.children.append(can_exec)
o("done.\n")
if output and not debug:
status = util.ConsoleProgressBar(sys.stdout, steps=len(modules))
status.start("Parsing interface files")
failures = []
for x in modules:
m = refpolicy.Module()
m.name = x[0]
try:
if expand:
parse_file(x[1], m, spt)
else:
parse_file(x[1], m)
except ValueError as e:
o(str(e) + "\n")
failures.append(x[1])
continue
headers.children.append(m)
if output and not debug:
status.step()
if len(failures):
o("failed to parse some headers: %s" % ", ".join(failures))
return headers