2
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
6
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8
* Support for enhanced MLS infrastructure.
10
* Updated: David Caplan, <dac@tresys.com>
12
* Added conditional policy language extensions
14
* Updated: Joshua Brindle <jbrindle@tresys.com>
15
* Karl MacMillan <kmacmillan@mentalrootkit.com>
16
* Jason Tang <jtang@tresys.com>
18
* Added support for binary policy modules
20
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
21
* Copyright (C) 2003 - 2008 Tresys Technology, LLC
22
* Copyright (C) 2007 Red Hat Inc.
23
* This program is free software; you can redistribute it and/or modify
24
* it under the terms of the GNU General Public License as published by
25
* the Free Software Foundation, version 2.
30
#include <sys/types.h>
37
#include <sys/socket.h>
38
#include <netinet/in.h>
39
#include <arpa/inet.h>
42
#include <sepol/policydb/expand.h>
43
#include <sepol/policydb/policydb.h>
44
#include <sepol/policydb/services.h>
45
#include <sepol/policydb/conditional.h>
46
#include <sepol/policydb/flask.h>
47
#include <sepol/policydb/hierarchy.h>
48
#include <sepol/policydb/polcaps.h>
50
#include "checkpolicy.h"
51
#include "module_compiler.h"
52
#include "policy_define.h"
54
policydb_t *policydbp;
60
extern unsigned long policydb_lineno;
61
extern unsigned long source_lineno;
62
extern unsigned int policydb_errors;
64
extern int yywarn(char *msg);
65
extern int yyerror(char *msg);
67
#define ERRORMSG_LEN 255
68
static char errormsg[ERRORMSG_LEN + 1] = {0};
70
static int id_has_dot(char *id);
71
static int parse_security_context(context_struct_t *c);
73
/* initialize all of the state variables for the scanner/parser */
74
void init_parser(int pass_number)
82
void yyerror2(char *fmt, ...)
86
vsnprintf(errormsg, ERRORMSG_LEN, fmt, ap);
91
int insert_separator(int push)
96
error = queue_push(id_queue, 0);
98
error = queue_insert(id_queue, 0);
101
yyerror("queue overflow");
107
int insert_id(char *id, int push)
112
newid = (char *)malloc(strlen(id) + 1);
114
yyerror("out of memory");
119
error = queue_push(id_queue, (queue_element_t) newid);
121
error = queue_insert(id_queue, (queue_element_t) newid);
124
yyerror("queue overflow");
131
/* If the identifier has a dot within it and that its first character
132
is not a dot then return 1, else return 0. */
133
static int id_has_dot(char *id)
135
if (strchr(id, '.') >= id + 1) {
141
int define_class(void)
144
class_datum_t *datum = 0;
149
id = queue_remove(id_queue);
154
id = (char *)queue_remove(id_queue);
156
yyerror("no class name for class definition?");
159
datum = (class_datum_t *) malloc(sizeof(class_datum_t));
161
yyerror("out of memory");
164
memset(datum, 0, sizeof(class_datum_t));
165
ret = declare_symbol(SYM_CLASSES, id, datum, &value, &value);
168
yyerror("Out of memory!");
172
yyerror2("duplicate declaration of class %s", id);
176
yyerror("could not declare class here");
184
assert(0); /* should never get here */
187
datum->s.value = value;
198
int define_permissive(void)
201
struct type_datum *t;
204
type = queue_remove(id_queue);
207
yyerror2("forgot to include type in permissive definition?");
215
if (!is_id_in_scope(SYM_TYPES, type)) {
216
yyerror2("type %s is not within scope", type);
221
t = hashtab_search(policydbp->p_types.table, type);
223
yyerror2("type is not defined: %s", type);
228
if (t->flavor == TYPE_ATTRIB) {
229
yyerror2("attributes may not be permissive: %s\n", type);
234
t->flags |= TYPE_FLAGS_PERMISSIVE;
241
int define_polcap(void)
247
id = queue_remove(id_queue);
252
id = (char *)queue_remove(id_queue);
254
yyerror("no capability name for policycap definition?");
258
/* Check for valid cap name -> number mapping */
259
capnum = sepol_polcap_getnum(id);
261
yyerror2("invalid policy capability name %s", id);
266
if (ebitmap_set_bit(&policydbp->policycaps, capnum, TRUE)) {
267
yyerror("out of memory");
279
int define_initial_sid(void)
282
ocontext_t *newc = 0, *c, *head;
285
id = queue_remove(id_queue);
290
id = (char *)queue_remove(id_queue);
292
yyerror("no sid name for SID definition?");
295
newc = (ocontext_t *) malloc(sizeof(ocontext_t));
297
yyerror("out of memory");
300
memset(newc, 0, sizeof(ocontext_t));
302
context_init(&newc->context[0]);
303
head = policydbp->ocontexts[OCON_ISID];
305
for (c = head; c; c = c->next) {
306
if (!strcmp(newc->u.name, c->u.name)) {
307
yyerror2("duplicate initial SID %s", id);
313
newc->sid[0] = head->sid[0] + 1;
318
policydbp->ocontexts[OCON_ISID] = newc;
330
int define_common_perms(void)
332
char *id = 0, *perm = 0;
333
common_datum_t *comdatum = 0;
334
perm_datum_t *perdatum = 0;
338
while ((id = queue_remove(id_queue)))
343
id = (char *)queue_remove(id_queue);
345
yyerror("no common name for common perm definition?");
348
comdatum = hashtab_search(policydbp->p_commons.table, id);
350
yyerror2("duplicate declaration for common %s\n", id);
353
comdatum = (common_datum_t *) malloc(sizeof(common_datum_t));
355
yyerror("out of memory");
358
memset(comdatum, 0, sizeof(common_datum_t));
359
ret = hashtab_insert(policydbp->p_commons.table,
360
(hashtab_key_t) id, (hashtab_datum_t) comdatum);
362
if (ret == SEPOL_EEXIST) {
363
yyerror("duplicate common definition");
366
if (ret == SEPOL_ENOMEM) {
367
yyerror("hash table overflow");
370
comdatum->s.value = policydbp->p_commons.nprim + 1;
371
if (symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE)) {
372
yyerror("out of memory");
375
policydbp->p_commons.nprim++;
376
while ((perm = queue_remove(id_queue))) {
377
perdatum = (perm_datum_t *) malloc(sizeof(perm_datum_t));
379
yyerror("out of memory");
382
memset(perdatum, 0, sizeof(perm_datum_t));
383
perdatum->s.value = comdatum->permissions.nprim + 1;
385
if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) {
387
("too many permissions to fit in an access vector");
390
ret = hashtab_insert(comdatum->permissions.table,
391
(hashtab_key_t) perm,
392
(hashtab_datum_t) perdatum);
394
if (ret == SEPOL_EEXIST) {
395
yyerror2("duplicate permission %s in common %s", perm,
399
if (ret == SEPOL_ENOMEM) {
400
yyerror("hash table overflow");
403
comdatum->permissions.nprim++;
423
int define_av_perms(int inherits)
426
class_datum_t *cladatum;
427
common_datum_t *comdatum;
428
perm_datum_t *perdatum = 0, *perdatum2 = 0;
432
while ((id = queue_remove(id_queue)))
437
id = (char *)queue_remove(id_queue);
439
yyerror("no tclass name for av perm definition?");
442
cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table,
445
yyerror2("class %s is not defined", id);
450
if (cladatum->comdatum || cladatum->permissions.nprim) {
451
yyerror("duplicate access vector definition");
454
if (symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE)) {
455
yyerror("out of memory");
459
id = (char *)queue_remove(id_queue);
462
("no inherits name for access vector definition?");
466
(common_datum_t *) hashtab_search(policydbp->p_commons.
471
yyerror2("common %s is not defined", id);
474
cladatum->comkey = id;
475
cladatum->comdatum = comdatum;
478
* Class-specific permissions start with values
479
* after the last common permission.
481
cladatum->permissions.nprim += comdatum->permissions.nprim;
483
while ((id = queue_remove(id_queue))) {
484
perdatum = (perm_datum_t *) malloc(sizeof(perm_datum_t));
486
yyerror("out of memory");
489
memset(perdatum, 0, sizeof(perm_datum_t));
490
perdatum->s.value = ++cladatum->permissions.nprim;
492
if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) {
494
("too many permissions to fit in an access vector");
499
* Class-specific permissions and
500
* common permissions exist in the same
504
(perm_datum_t *) hashtab_search(cladatum->comdatum->
508
yyerror2("permission %s conflicts with an "
509
"inherited permission", id);
513
ret = hashtab_insert(cladatum->permissions.table,
515
(hashtab_datum_t) perdatum);
517
if (ret == SEPOL_EEXIST) {
518
yyerror2("duplicate permission %s", id);
521
if (ret == SEPOL_ENOMEM) {
522
yyerror("hash table overflow");
525
if (add_perm_to_class(perdatum->s.value, cladatum->s.value)) {
526
yyerror("out of memory");
541
int define_sens(void)
544
mls_level_t *level = 0;
545
level_datum_t *datum = 0, *aliasdatum = 0;
547
uint32_t value; /* dummy variable -- its value is never used */
550
yyerror("sensitivity definition in non-MLS configuration");
555
while ((id = queue_remove(id_queue)))
560
id = (char *)queue_remove(id_queue);
562
yyerror("no sensitivity name for sensitivity definition?");
565
if (id_has_dot(id)) {
566
yyerror("sensitivity identifiers may not contain periods");
569
level = (mls_level_t *) malloc(sizeof(mls_level_t));
571
yyerror("out of memory");
574
mls_level_init(level);
575
level->sens = 0; /* actual value set in define_dominance */
576
ebitmap_init(&level->cat); /* actual value set in define_level */
578
datum = (level_datum_t *) malloc(sizeof(level_datum_t));
580
yyerror("out of memory");
583
level_datum_init(datum);
584
datum->isalias = FALSE;
585
datum->level = level;
587
ret = declare_symbol(SYM_LEVELS, id, datum, &value, &value);
590
yyerror("Out of memory!");
594
yyerror("duplicate declaration of sensitivity level");
598
yyerror("could not declare sensitivity level here");
606
assert(0); /* should never get here */
610
while ((id = queue_remove(id_queue))) {
611
if (id_has_dot(id)) {
612
yyerror("sensitivity aliases may not contain periods");
615
aliasdatum = (level_datum_t *) malloc(sizeof(level_datum_t));
617
yyerror("out of memory");
620
level_datum_init(aliasdatum);
621
aliasdatum->isalias = TRUE;
622
aliasdatum->level = level;
624
ret = declare_symbol(SYM_LEVELS, id, aliasdatum, NULL, &value);
627
yyerror("Out of memory!");
632
("duplicate declaration of sensitivity alias");
637
("could not declare sensitivity alias here");
645
assert(0); /* should never get here */
658
level_datum_destroy(datum);
667
level_datum_destroy(aliasdatum);
673
int define_dominance(void)
675
level_datum_t *datum;
680
yyerror("dominance definition in non-MLS configuration");
685
while ((id = queue_remove(id_queue)))
691
while ((id = (char *)queue_remove(id_queue))) {
693
(level_datum_t *) hashtab_search(policydbp->p_levels.table,
696
yyerror2("unknown sensitivity %s used in dominance "
701
if (datum->level->sens != 0) {
702
yyerror2("sensitivity %s occurs multiply in dominance "
707
datum->level->sens = ++order;
709
/* no need to keep sensitivity name */
713
if (order != policydbp->p_levels.nprim) {
715
("all sensitivities must be specified in dominance definition");
721
int define_category(void)
724
cat_datum_t *datum = 0, *aliasdatum = 0;
729
yyerror("category definition in non-MLS configuration");
734
while ((id = queue_remove(id_queue)))
739
id = (char *)queue_remove(id_queue);
741
yyerror("no category name for category definition?");
744
if (id_has_dot(id)) {
745
yyerror("category identifiers may not contain periods");
748
datum = (cat_datum_t *) malloc(sizeof(cat_datum_t));
750
yyerror("out of memory");
753
cat_datum_init(datum);
754
datum->isalias = FALSE;
756
ret = declare_symbol(SYM_CATS, id, datum, &value, &value);
759
yyerror("Out of memory!");
763
yyerror("duplicate declaration of category");
767
yyerror("could not declare category here");
775
assert(0); /* should never get here */
778
datum->s.value = value;
780
while ((id = queue_remove(id_queue))) {
781
if (id_has_dot(id)) {
782
yyerror("category aliases may not contain periods");
785
aliasdatum = (cat_datum_t *) malloc(sizeof(cat_datum_t));
787
yyerror("out of memory");
790
cat_datum_init(aliasdatum);
791
aliasdatum->isalias = TRUE;
792
aliasdatum->s.value = datum->s.value;
795
declare_symbol(SYM_CATS, id, aliasdatum, NULL,
799
yyerror("Out of memory!");
804
("duplicate declaration of category aliases");
809
("could not declare category aliases here");
817
assert(0); /* should never get here */
828
cat_datum_destroy(datum);
837
cat_datum_destroy(aliasdatum);
843
static int clone_level(hashtab_key_t key, hashtab_datum_t datum, void *arg)
845
level_datum_t *levdatum = (level_datum_t *) datum;
846
mls_level_t *level = (mls_level_t *) arg, *newlevel;
848
if (levdatum->level == level) {
849
levdatum->defined = 1;
850
if (!levdatum->isalias)
852
newlevel = (mls_level_t *) malloc(sizeof(mls_level_t));
855
if (mls_level_cpy(newlevel, level)) {
859
levdatum->level = newlevel;
864
int define_level(void)
867
level_datum_t *levdatum;
870
yyerror("level definition in non-MLS configuration");
875
while ((id = queue_remove(id_queue)))
880
id = (char *)queue_remove(id_queue);
882
yyerror("no level name for level definition?");
885
levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table,
888
yyerror2("unknown sensitivity %s used in level definition", id);
892
if (ebitmap_length(&levdatum->level->cat)) {
893
yyerror2("sensitivity %s used in multiple level definitions",
900
levdatum->defined = 1;
902
while ((id = queue_remove(id_queue))) {
904
int range_start, range_end, i;
906
if (id_has_dot(id)) {
908
char *id_end = strchr(id, '.');
913
(cat_datum_t *) hashtab_search(policydbp->p_cats.
918
yyerror2("unknown category %s", id_start);
922
range_start = cdatum->s.value - 1;
924
(cat_datum_t *) hashtab_search(policydbp->p_cats.
929
yyerror2("unknown category %s", id_end);
933
range_end = cdatum->s.value - 1;
935
if (range_end < range_start) {
936
yyerror2("category range is invalid");
942
(cat_datum_t *) hashtab_search(policydbp->p_cats.
945
range_start = range_end = cdatum->s.value - 1;
948
for (i = range_start; i <= range_end; i++) {
949
if (ebitmap_set_bit(&levdatum->level->cat, i, TRUE)) {
950
yyerror("out of memory");
960
(policydbp->p_levels.table, clone_level, levdatum->level)) {
961
yyerror("out of memory");
968
int define_attrib(void)
971
free(queue_remove(id_queue));
975
if (declare_type(TRUE, TRUE) == NULL) {
981
static int add_aliases_to_type(type_datum_t * type)
984
type_datum_t *aliasdatum = NULL;
986
while ((id = queue_remove(id_queue))) {
987
if (id_has_dot(id)) {
990
("type alias identifiers may not contain periods");
993
aliasdatum = (type_datum_t *) malloc(sizeof(type_datum_t));
996
yyerror("Out of memory!");
999
memset(aliasdatum, 0, sizeof(type_datum_t));
1000
aliasdatum->s.value = type->s.value;
1002
ret = declare_symbol(SYM_TYPES, id, aliasdatum,
1003
NULL, &aliasdatum->s.value);
1006
yyerror("Out of memory!");
1010
yyerror2("duplicate declaration of alias %s",
1015
yyerror("could not declare alias here");
1023
assert(0); /* should never get here */
1030
type_datum_destroy(aliasdatum);
1035
int define_typealias(void)
1041
while ((id = queue_remove(id_queue)))
1046
id = (char *)queue_remove(id_queue);
1048
yyerror("no type name for typealias definition?");
1052
if (!is_id_in_scope(SYM_TYPES, id)) {
1053
yyerror2("type %s is not within scope", id);
1057
t = hashtab_search(policydbp->p_types.table, id);
1058
if (!t || t->flavor == TYPE_ATTRIB) {
1059
yyerror2("unknown type %s, or it was already declared as an "
1064
return add_aliases_to_type(t);
1067
int define_typeattribute(void)
1070
type_datum_t *t, *attr;
1073
while ((id = queue_remove(id_queue)))
1078
id = (char *)queue_remove(id_queue);
1080
yyerror("no type name for typeattribute definition?");
1084
if (!is_id_in_scope(SYM_TYPES, id)) {
1085
yyerror2("type %s is not within scope", id);
1089
t = hashtab_search(policydbp->p_types.table, id);
1090
if (!t || t->flavor == TYPE_ATTRIB) {
1091
yyerror2("unknown type %s", id);
1096
while ((id = queue_remove(id_queue))) {
1097
if (!is_id_in_scope(SYM_TYPES, id)) {
1098
yyerror2("attribute %s is not within scope", id);
1102
attr = hashtab_search(policydbp->p_types.table, id);
1104
/* treat it as a fatal error */
1105
yyerror2("attribute %s is not declared", id);
1110
if (attr->flavor != TYPE_ATTRIB) {
1111
yyerror2("%s is a type, not an attribute", id);
1116
if ((attr = get_local_type(id, attr->s.value, 1)) == NULL) {
1117
yyerror("Out of memory!");
1121
if (ebitmap_set_bit(&attr->types, (t->s.value - 1), TRUE)) {
1122
yyerror("out of memory");
1130
int define_type(int alias)
1133
type_datum_t *datum, *attr;
1137
while ((id = queue_remove(id_queue)))
1140
while ((id = queue_remove(id_queue)))
1146
if ((datum = declare_type(TRUE, FALSE)) == NULL) {
1151
if (add_aliases_to_type(datum) == -1) {
1156
while ((id = queue_remove(id_queue))) {
1157
if (!is_id_in_scope(SYM_TYPES, id)) {
1158
yyerror2("attribute %s is not within scope", id);
1162
attr = hashtab_search(policydbp->p_types.table, id);
1164
/* treat it as a fatal error */
1165
yyerror2("attribute %s is not declared", id);
1171
if (attr->flavor != TYPE_ATTRIB) {
1172
yyerror2("%s is a type, not an attribute", id);
1176
if ((attr = get_local_type(id, attr->s.value, 1)) == NULL) {
1177
yyerror("Out of memory!");
1181
if (ebitmap_set_bit(&attr->types, datum->s.value - 1, TRUE)) {
1182
yyerror("Out of memory");
1190
struct val_to_name {
1195
/* Adds a type, given by its textual name, to a typeset. If *add is
1196
0, then add the type to the negative set; otherwise if *add is 1
1197
then add it to the positive side. */
1198
static int set_types(type_set_t * set, char *id, int *add, char starallowed)
1202
if (strcmp(id, "*") == 0) {
1204
yyerror("* not allowed in this type of rule");
1207
/* set TYPE_STAR flag */
1208
set->flags = TYPE_STAR;
1214
if (strcmp(id, "~") == 0) {
1216
yyerror("~ not allowed in this type of rule");
1219
/* complement the set */
1220
set->flags = TYPE_COMP;
1226
if (strcmp(id, "-") == 0) {
1232
if (!is_id_in_scope(SYM_TYPES, id)) {
1233
yyerror2("type %s is not within scope", id);
1237
t = hashtab_search(policydbp->p_types.table, id);
1239
yyerror2("unknown type %s", id);
1245
if (ebitmap_set_bit(&set->negset, t->s.value - 1, TRUE))
1248
if (ebitmap_set_bit(&set->types, t->s.value - 1, TRUE))
1255
yyerror("Out of memory");
1260
int define_compute_type_helper(int which, avrule_t ** rule)
1263
type_datum_t *datum;
1264
class_datum_t *cladatum;
1266
ebitmap_node_t *node;
1268
class_perm_node_t *perm;
1271
avrule = malloc(sizeof(avrule_t));
1273
yyerror("out of memory");
1276
avrule_init(avrule);
1277
avrule->specified = which;
1278
avrule->line = policydb_lineno;
1280
while ((id = queue_remove(id_queue))) {
1281
if (set_types(&avrule->stypes, id, &add, 0))
1285
while ((id = queue_remove(id_queue))) {
1286
if (set_types(&avrule->ttypes, id, &add, 0))
1290
ebitmap_init(&tclasses);
1291
while ((id = queue_remove(id_queue))) {
1292
if (!is_id_in_scope(SYM_CLASSES, id)) {
1293
yyerror2("class %s is not within scope", id);
1297
cladatum = hashtab_search(policydbp->p_classes.table, id);
1299
yyerror2("unknown class %s", id);
1302
if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
1303
yyerror("Out of memory");
1309
id = (char *)queue_remove(id_queue);
1311
yyerror("no newtype?");
1314
if (!is_id_in_scope(SYM_TYPES, id)) {
1315
yyerror2("type %s is not within scope", id);
1319
datum = (type_datum_t *) hashtab_search(policydbp->p_types.table,
1320
(hashtab_key_t) id);
1321
if (!datum || datum->flavor == TYPE_ATTRIB) {
1322
yyerror2("unknown type %s", id);
1326
ebitmap_for_each_bit(&tclasses, node, i) {
1327
if (ebitmap_node_get_bit(node, i)) {
1328
perm = malloc(sizeof(class_perm_node_t));
1330
yyerror("out of memory");
1333
class_perm_node_init(perm);
1334
perm->class = i + 1;
1335
perm->data = datum->s.value;
1336
perm->next = avrule->perms;
1337
avrule->perms = perm;
1340
ebitmap_destroy(&tclasses);
1346
avrule_destroy(avrule);
1351
int define_compute_type(int which)
1357
while ((id = queue_remove(id_queue)))
1359
while ((id = queue_remove(id_queue)))
1361
while ((id = queue_remove(id_queue)))
1363
id = queue_remove(id_queue);
1368
if (define_compute_type_helper(which, &avrule))
1371
append_avrule(avrule);
1375
avrule_t *define_cond_compute_type(int which)
1381
while ((id = queue_remove(id_queue)))
1383
while ((id = queue_remove(id_queue)))
1385
while ((id = queue_remove(id_queue)))
1387
id = queue_remove(id_queue);
1389
return (avrule_t *) 1;
1392
if (define_compute_type_helper(which, &avrule))
1398
int define_bool(void)
1400
char *id, *bool_value;
1401
cond_bool_datum_t *datum;
1406
while ((id = queue_remove(id_queue)))
1411
id = (char *)queue_remove(id_queue);
1413
yyerror("no identifier for bool definition?");
1416
if (id_has_dot(id)) {
1418
yyerror("boolean identifiers may not contain periods");
1421
datum = (cond_bool_datum_t *) malloc(sizeof(cond_bool_datum_t));
1423
yyerror("out of memory");
1427
memset(datum, 0, sizeof(cond_bool_datum_t));
1428
ret = declare_symbol(SYM_BOOLS, id, datum, &value, &value);
1431
yyerror("Out of memory!");
1435
yyerror2("duplicate declaration of boolean %s", id);
1439
yyerror("could not declare boolean here");
1447
assert(0); /* should never get here */
1450
datum->s.value = value;
1452
bool_value = (char *)queue_remove(id_queue);
1454
yyerror("no default value for bool definition?");
1459
datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
1462
cond_destroy_bool(id, datum, NULL);
1466
avrule_t *define_cond_pol_list(avrule_t * avlist, avrule_t * sl)
1469
/* return something so we get through pass 1 */
1470
return (avrule_t *) 1;
1474
/* This is a require block, return previous list */
1478
/* prepend the new avlist to the pre-existing one */
1483
int define_te_avtab_helper(int which, avrule_t ** rule)
1486
class_datum_t *cladatum;
1487
perm_datum_t *perdatum = NULL;
1488
class_perm_node_t *perms, *tail = NULL, *cur_perms = NULL;
1490
ebitmap_node_t *node;
1493
int add = 1, ret = 0;
1496
avrule = (avrule_t *) malloc(sizeof(avrule_t));
1498
yyerror("memory error");
1502
avrule_init(avrule);
1503
avrule->specified = which;
1504
avrule->line = policydb_lineno;
1506
while ((id = queue_remove(id_queue))) {
1508
(&avrule->stypes, id, &add,
1509
which == AVRULE_NEVERALLOW ? 1 : 0)) {
1515
while ((id = queue_remove(id_queue))) {
1516
if (strcmp(id, "self") == 0) {
1518
avrule->flags |= RULE_SELF;
1522
(&avrule->ttypes, id, &add,
1523
which == AVRULE_NEVERALLOW ? 1 : 0)) {
1529
ebitmap_init(&tclasses);
1530
while ((id = queue_remove(id_queue))) {
1531
if (!is_id_in_scope(SYM_CLASSES, id)) {
1532
yyerror2("class %s is not within scope", id);
1536
cladatum = hashtab_search(policydbp->p_classes.table, id);
1538
yyerror2("unknown class %s used in rule", id);
1542
if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
1543
yyerror("Out of memory");
1551
ebitmap_for_each_bit(&tclasses, node, i) {
1552
if (!ebitmap_node_get_bit(node, i))
1555
(class_perm_node_t *) malloc(sizeof(class_perm_node_t));
1557
yyerror("out of memory");
1561
class_perm_node_init(cur_perms);
1562
cur_perms->class = i + 1;
1566
tail->next = cur_perms;
1570
while ((id = queue_remove(id_queue))) {
1572
ebitmap_for_each_bit(&tclasses, node, i) {
1573
if (!ebitmap_node_get_bit(node, i))
1575
cladatum = policydbp->class_val_to_struct[i];
1577
if (strcmp(id, "*") == 0) {
1578
/* set all permissions in the class */
1579
cur_perms->data = ~0U;
1583
if (strcmp(id, "~") == 0) {
1584
/* complement the set */
1585
if (which == AVRULE_DONTAUDIT)
1586
yywarn("dontaudit rule with a ~?");
1587
cur_perms->data = ~cur_perms->data;
1592
hashtab_search(cladatum->permissions.table, id);
1594
if (cladatum->comdatum) {
1596
hashtab_search(cladatum->comdatum->
1603
yyerror2("permission %s is not defined"
1604
" for class %s", id,
1605
policydbp->p_class_val_to_name[i]);
1608
if (!is_perm_in_scope
1609
(id, policydbp->p_class_val_to_name[i])) {
1611
yyerror2("permission %s of class %s is"
1612
" not within scope", id,
1613
policydbp->p_class_val_to_name[i]);
1617
cur_perms->data |= 1U << (perdatum->s.value - 1);
1620
cur_perms = cur_perms->next;
1626
ebitmap_destroy(&tclasses);
1628
avrule->perms = perms;
1636
avrule_t *define_cond_te_avtab(int which)
1643
for (i = 0; i < 4; i++) {
1644
while ((id = queue_remove(id_queue)))
1647
return (avrule_t *) 1; /* any non-NULL value */
1650
if (define_te_avtab_helper(which, &avrule))
1656
int define_te_avtab(int which)
1663
for (i = 0; i < 4; i++) {
1664
while ((id = queue_remove(id_queue)))
1670
if (define_te_avtab_helper(which, &avrule))
1673
/* append this avrule to the end of the current rules list */
1674
append_avrule(avrule);
1678
int define_role_types(void)
1685
while ((id = queue_remove(id_queue)))
1690
if ((role = declare_role()) == NULL) {
1693
while ((id = queue_remove(id_queue))) {
1694
if (set_types(&role->types, id, &add, 0))
1701
role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2)
1706
return (role_datum_t *) 1; /* any non-NULL value */
1709
new = malloc(sizeof(role_datum_t));
1711
yyerror("out of memory");
1714
memset(new, 0, sizeof(role_datum_t));
1715
new->s.value = 0; /* temporary role */
1716
if (ebitmap_or(&new->dominates, &r1->dominates, &r2->dominates)) {
1717
yyerror("out of memory");
1720
if (ebitmap_or(&new->types.types, &r1->types.types, &r2->types.types)) {
1721
yyerror("out of memory");
1725
/* free intermediate result */
1726
type_set_destroy(&r1->types);
1727
ebitmap_destroy(&r1->dominates);
1731
/* free intermediate result */
1732
yyerror("right hand role is temporary?");
1733
type_set_destroy(&r2->types);
1734
ebitmap_destroy(&r2->dominates);
1740
/* This function eliminates the ordering dependency of role dominance rule */
1741
static int dominate_role_recheck(hashtab_key_t key, hashtab_datum_t datum,
1744
role_datum_t *rdp = (role_datum_t *) arg;
1745
role_datum_t *rdatum = (role_datum_t *) datum;
1746
ebitmap_node_t *node;
1749
/* Don't bother to process against self role */
1750
if (rdatum->s.value == rdp->s.value)
1753
/* If a dominating role found */
1754
if (ebitmap_get_bit(&(rdatum->dominates), rdp->s.value - 1)) {
1756
ebitmap_init(&types);
1757
if (type_set_expand(&rdp->types, &types, policydbp, 1)) {
1758
ebitmap_destroy(&types);
1761
/* raise types and dominates from dominated role */
1762
ebitmap_for_each_bit(&rdp->dominates, node, i) {
1763
if (ebitmap_node_get_bit(node, i))
1765
(&rdatum->dominates, i, TRUE))
1768
ebitmap_for_each_bit(&types, node, i) {
1769
if (ebitmap_node_get_bit(node, i))
1771
(&rdatum->types.types, i, TRUE))
1774
ebitmap_destroy(&types);
1777
/* go through all the roles */
1780
yyerror("Out of memory");
1784
role_datum_t *define_role_dom(role_datum_t * r)
1788
ebitmap_node_t *node;
1793
role_id = queue_remove(id_queue);
1795
return (role_datum_t *) 1; /* any non-NULL value */
1798
yywarn("Role dominance has been deprecated");
1800
role_id = queue_remove(id_queue);
1801
if (!is_id_in_scope(SYM_ROLES, role_id)) {
1802
yyerror2("role %s is not within scope", role_id);
1806
role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
1809
role = (role_datum_t *) malloc(sizeof(role_datum_t));
1811
yyerror("out of memory");
1815
memset(role, 0, sizeof(role_datum_t));
1817
declare_symbol(SYM_ROLES, (hashtab_key_t) role_id,
1818
(hashtab_datum_t) role, &role->s.value,
1822
yyerror("Out of memory!");
1826
yyerror2("duplicate declaration of role %s",
1831
yyerror("could not declare role here");
1839
assert(0); /* should never get here */
1842
if (ebitmap_set_bit(&role->dominates, role->s.value - 1, TRUE)) {
1843
yyerror("Out of memory!");
1849
ebitmap_init(&types);
1850
ebitmap_for_each_bit(&r->dominates, node, i) {
1851
if (ebitmap_node_get_bit(node, i))
1852
if (ebitmap_set_bit(&role->dominates, i, TRUE))
1855
if (type_set_expand(&r->types, &types, policydbp, 1)) {
1856
ebitmap_destroy(&types);
1859
ebitmap_for_each_bit(&types, node, i) {
1860
if (ebitmap_node_get_bit(node, i))
1862
(&role->types.types, i, TRUE))
1865
ebitmap_destroy(&types);
1867
/* free intermediate result */
1868
type_set_destroy(&r->types);
1869
ebitmap_destroy(&r->dominates);
1873
* Now go through all the roles and escalate this role's
1874
* dominates and types if a role dominates this role.
1876
hashtab_map(policydbp->p_roles.table,
1877
dominate_role_recheck, role);
1882
role_datum_destroy(role);
1886
yyerror("Out of memory");
1890
static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum,
1893
struct val_to_name *v = p;
1894
role_datum_t *roldatum;
1896
roldatum = (role_datum_t *) datum;
1898
if (v->val == roldatum->s.value) {
1906
static char *role_val_to_name(unsigned int val)
1908
struct val_to_name v;
1912
rc = hashtab_map(policydbp->p_roles.table, role_val_to_name_helper, &v);
1918
static int set_roles(role_set_t * set, char *id)
1922
if (strcmp(id, "*") == 0) {
1924
yyerror("* is not allowed for role sets");
1928
if (strcmp(id, "~") == 0) {
1930
yyerror("~ is not allowed for role sets");
1933
if (!is_id_in_scope(SYM_ROLES, id)) {
1934
yyerror2("role %s is not within scope", id);
1938
r = hashtab_search(policydbp->p_roles.table, id);
1940
yyerror2("unknown role %s", id);
1945
if (ebitmap_set_bit(&set->roles, r->s.value - 1, TRUE)) {
1946
yyerror("out of memory");
1954
int define_role_trans(void)
1960
ebitmap_t e_types, e_roles;
1961
ebitmap_node_t *tnode, *rnode;
1962
struct role_trans *tr = NULL;
1963
struct role_trans_rule *rule = NULL;
1968
while ((id = queue_remove(id_queue)))
1970
while ((id = queue_remove(id_queue)))
1972
id = queue_remove(id_queue);
1977
role_set_init(&roles);
1978
ebitmap_init(&e_roles);
1979
type_set_init(&types);
1980
ebitmap_init(&e_types);
1982
while ((id = queue_remove(id_queue))) {
1983
if (set_roles(&roles, id))
1987
while ((id = queue_remove(id_queue))) {
1988
if (set_types(&types, id, &add, 0))
1992
id = (char *)queue_remove(id_queue);
1994
yyerror("no new role in transition definition?");
1997
if (!is_id_in_scope(SYM_ROLES, id)) {
1998
yyerror2("role %s is not within scope", id);
2002
role = hashtab_search(policydbp->p_roles.table, id);
2004
yyerror2("unknown role %s used in transition definition", id);
2008
/* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
2009
if (role_set_expand(&roles, &e_roles, policydbp, NULL))
2012
if (type_set_expand(&types, &e_types, policydbp, 1))
2015
ebitmap_for_each_bit(&e_roles, rnode, i) {
2016
if (!ebitmap_node_get_bit(rnode, i))
2018
ebitmap_for_each_bit(&e_types, tnode, j) {
2019
if (!ebitmap_node_get_bit(tnode, j))
2022
for (tr = policydbp->role_tr; tr; tr = tr->next) {
2023
if (tr->role == (i + 1) && tr->type == (j + 1)) {
2024
yyerror2("duplicate role transition for (%s,%s)",
2025
role_val_to_name(i + 1),
2026
policydbp->p_type_val_to_name[j]);
2031
tr = malloc(sizeof(struct role_trans));
2033
yyerror("out of memory");
2036
memset(tr, 0, sizeof(struct role_trans));
2039
tr->new_role = role->s.value;
2040
tr->next = policydbp->role_tr;
2041
policydbp->role_tr = tr;
2044
/* Now add the real rule */
2045
rule = malloc(sizeof(struct role_trans_rule));
2047
yyerror("out of memory");
2050
memset(rule, 0, sizeof(struct role_trans_rule));
2051
rule->roles = roles;
2052
rule->types = types;
2053
rule->new_role = role->s.value;
2055
append_role_trans(rule);
2057
ebitmap_destroy(&e_roles);
2058
ebitmap_destroy(&e_types);
2066
int define_role_allow(void)
2069
struct role_allow_rule *ra = 0;
2072
while ((id = queue_remove(id_queue)))
2074
while ((id = queue_remove(id_queue)))
2079
ra = malloc(sizeof(role_allow_rule_t));
2081
yyerror("out of memory");
2084
role_allow_rule_init(ra);
2086
while ((id = queue_remove(id_queue))) {
2087
if (set_roles(&ra->roles, id))
2091
while ((id = queue_remove(id_queue))) {
2092
if (set_roles(&ra->new_roles, id))
2096
append_role_allow(ra);
2100
static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr)
2102
constraint_expr_t *h = NULL, *l = NULL, *e, *newe;
2103
for (e = expr; e; e = e->next) {
2104
newe = malloc(sizeof(*newe));
2107
if (constraint_expr_init(newe) == -1) {
2116
newe->expr_type = e->expr_type;
2117
newe->attr = e->attr;
2119
if (newe->expr_type == CEXPR_NAMES) {
2120
if (newe->attr & CEXPR_TYPE) {
2122
(newe->type_names, e->type_names))
2125
if (ebitmap_cpy(&newe->names, &e->names))
2137
constraint_expr_destroy(l);
2142
int define_constraint(constraint_expr_t * expr)
2144
struct constraint_node *node;
2146
class_datum_t *cladatum;
2147
perm_datum_t *perdatum;
2149
ebitmap_node_t *enode;
2150
constraint_expr_t *e;
2153
unsigned char useexpr = 1;
2156
while ((id = queue_remove(id_queue)))
2158
while ((id = queue_remove(id_queue)))
2164
for (e = expr; e; e = e->next) {
2165
switch (e->expr_type) {
2168
yyerror("illegal constraint expression");
2175
yyerror("illegal constraint expression");
2182
if (e->attr & CEXPR_XTARGET) {
2183
yyerror("illegal constraint expression");
2184
return -1; /* only for validatetrans rules */
2186
if (depth == (CEXPR_MAXDEPTH - 1)) {
2187
yyerror("constraint expression is too deep");
2193
yyerror("illegal constraint expression");
2198
yyerror("illegal constraint expression");
2202
ebitmap_init(&classmap);
2203
while ((id = queue_remove(id_queue))) {
2204
if (!is_id_in_scope(SYM_CLASSES, id)) {
2205
yyerror2("class %s is not within scope", id);
2210
(class_datum_t *) hashtab_search(policydbp->p_classes.table,
2211
(hashtab_key_t) id);
2213
yyerror2("class %s is not defined", id);
2214
ebitmap_destroy(&classmap);
2218
if (ebitmap_set_bit(&classmap, cladatum->s.value - 1, TRUE)) {
2219
yyerror("out of memory");
2220
ebitmap_destroy(&classmap);
2224
node = malloc(sizeof(struct constraint_node));
2226
yyerror("out of memory");
2229
memset(node, 0, sizeof(constraint_node_t));
2234
node->expr = constraint_expr_clone(expr);
2237
yyerror("out of memory");
2240
node->permissions = 0;
2242
node->next = cladatum->constraints;
2243
cladatum->constraints = node;
2248
while ((id = queue_remove(id_queue))) {
2249
ebitmap_for_each_bit(&classmap, enode, i) {
2250
if (ebitmap_node_get_bit(enode, i)) {
2251
cladatum = policydbp->class_val_to_struct[i];
2252
node = cladatum->constraints;
2255
(perm_datum_t *) hashtab_search(cladatum->
2261
if (cladatum->comdatum) {
2264
hashtab_search(cladatum->
2272
yyerror2("permission %s is not"
2275
ebitmap_destroy(&classmap);
2279
node->permissions |=
2280
(1 << (perdatum->s.value - 1));
2286
ebitmap_destroy(&classmap);
2291
int define_validatetrans(constraint_expr_t * expr)
2293
struct constraint_node *node;
2295
class_datum_t *cladatum;
2297
constraint_expr_t *e;
2299
unsigned char useexpr = 1;
2302
while ((id = queue_remove(id_queue)))
2308
for (e = expr; e; e = e->next) {
2309
switch (e->expr_type) {
2312
yyerror("illegal validatetrans expression");
2319
yyerror("illegal validatetrans expression");
2326
if (depth == (CEXPR_MAXDEPTH - 1)) {
2327
yyerror("validatetrans expression is too deep");
2333
yyerror("illegal validatetrans expression");
2338
yyerror("illegal validatetrans expression");
2342
ebitmap_init(&classmap);
2343
while ((id = queue_remove(id_queue))) {
2344
if (!is_id_in_scope(SYM_CLASSES, id)) {
2345
yyerror2("class %s is not within scope", id);
2350
(class_datum_t *) hashtab_search(policydbp->p_classes.table,
2351
(hashtab_key_t) id);
2353
yyerror2("class %s is not defined", id);
2354
ebitmap_destroy(&classmap);
2358
if (ebitmap_set_bit(&classmap, (cladatum->s.value - 1), TRUE)) {
2359
yyerror("out of memory");
2360
ebitmap_destroy(&classmap);
2365
node = malloc(sizeof(struct constraint_node));
2367
yyerror("out of memory");
2370
memset(node, 0, sizeof(constraint_node_t));
2375
node->expr = constraint_expr_clone(expr);
2377
node->permissions = 0;
2379
node->next = cladatum->validatetrans;
2380
cladatum->validatetrans = node;
2385
ebitmap_destroy(&classmap);
2390
uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
2392
struct constraint_expr *expr, *e1 = NULL, *e2;
2401
if (expr_type == CEXPR_NAMES) {
2402
while ((id = queue_remove(id_queue)))
2405
return 1; /* any non-NULL value */
2408
if ((expr = malloc(sizeof(*expr))) == NULL ||
2409
constraint_expr_init(expr) == -1) {
2410
yyerror("out of memory");
2414
expr->expr_type = expr_type;
2416
switch (expr_type) {
2419
e2 = (struct constraint_expr *)arg1;
2424
if (!e1 || e1->next) {
2425
yyerror("illegal constraint expression");
2426
constraint_expr_destroy(expr);
2434
e2 = (struct constraint_expr *)arg1;
2439
if (!e1 || e1->next) {
2440
yyerror("illegal constraint expression");
2441
constraint_expr_destroy(expr);
2444
e1->next = (struct constraint_expr *)arg2;
2447
e2 = (struct constraint_expr *)arg2;
2452
if (!e1 || e1->next) {
2453
yyerror("illegal constraint expression");
2454
constraint_expr_destroy(expr);
2462
return (uintptr_t) expr;
2467
ebitmap_init(&negset);
2468
while ((id = (char *)queue_remove(id_queue))) {
2469
if (expr->attr & CEXPR_USER) {
2470
if (!is_id_in_scope(SYM_USERS, id)) {
2471
yyerror2("user %s is not within scope",
2473
constraint_expr_destroy(expr);
2477
(user_datum_t *) hashtab_search(policydbp->
2483
yyerror2("unknown user %s", id);
2484
constraint_expr_destroy(expr);
2487
val = user->s.value;
2488
} else if (expr->attr & CEXPR_ROLE) {
2489
if (!is_id_in_scope(SYM_ROLES, id)) {
2490
yyerror2("role %s is not within scope",
2492
constraint_expr_destroy(expr);
2496
(role_datum_t *) hashtab_search(policydbp->
2502
yyerror2("unknown role %s", id);
2503
constraint_expr_destroy(expr);
2506
val = role->s.value;
2507
} else if (expr->attr & CEXPR_TYPE) {
2508
if (set_types(expr->type_names, id, &add, 0)) {
2509
constraint_expr_destroy(expr);
2514
yyerror("invalid constraint expression");
2515
constraint_expr_destroy(expr);
2518
if (ebitmap_set_bit(&expr->names, val - 1, TRUE)) {
2519
yyerror("out of memory");
2520
ebitmap_destroy(&expr->names);
2521
constraint_expr_destroy(expr);
2526
ebitmap_destroy(&negset);
2527
return (uintptr_t) expr;
2529
yyerror("invalid constraint expression");
2530
constraint_expr_destroy(expr);
2534
yyerror("invalid constraint expression");
2539
int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
2543
cond_node_t cn, *cn_old;
2545
/* expression cannot be NULL */
2547
yyerror("illegal conditional expression");
2552
/* empty is fine, destroy expression and return */
2553
cond_expr_destroy(expr);
2559
expr = define_cond_expr(COND_NOT, expr, 0);
2561
yyerror("unable to invert");
2566
/* verify expression */
2568
for (e = expr; e; e = e->next) {
2569
switch (e->expr_type) {
2573
("illegal conditional expression; Bad NOT");
2584
("illegal conditional expression; Bad binary op");
2590
if (depth == (COND_EXPR_MAXDEPTH - 1)) {
2592
("conditional expression is like totally too deep");
2598
yyerror("illegal conditional expression");
2603
yyerror("illegal conditional expression");
2607
/* use tmp conditional node to partially build new node */
2608
memset(&cn, 0, sizeof(cn));
2611
cn.avfalse_list = f;
2613
/* normalize/precompute expression */
2614
if (cond_normalize_expr(policydbp, &cn) < 0) {
2615
yyerror("problem normalizing conditional expression");
2619
/* get the existing conditional node, or create a new one */
2620
cn_old = get_current_cond_list(&cn);
2625
append_cond_list(&cn);
2627
/* note that there is no check here for duplicate rules, nor
2628
* check that rule already exists in base -- that will be
2629
* handled during conditional expansion, in expand.c */
2631
cn.avtrue_list = NULL;
2632
cn.avfalse_list = NULL;
2633
cond_node_destroy(&cn);
2638
cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
2640
struct cond_expr *expr, *e1 = NULL, *e2;
2641
cond_bool_datum_t *bool_var;
2644
/* expressions are handled in the second pass */
2646
if (expr_type == COND_BOOL) {
2647
while ((id = queue_remove(id_queue))) {
2651
return (cond_expr_t *) 1; /* any non-NULL value */
2654
/* create a new expression struct */
2655
expr = malloc(sizeof(struct cond_expr));
2657
yyerror("out of memory");
2660
memset(expr, 0, sizeof(cond_expr_t));
2661
expr->expr_type = expr_type;
2663
/* create the type asked for */
2664
switch (expr_type) {
2667
e2 = (struct cond_expr *)arg1;
2672
if (!e1 || e1->next) {
2673
yyerror("illegal conditional NOT expression");
2678
return (struct cond_expr *)arg1;
2685
e2 = (struct cond_expr *)arg1;
2690
if (!e1 || e1->next) {
2692
("illegal left side of conditional binary op expression");
2696
e1->next = (struct cond_expr *)arg2;
2699
e2 = (struct cond_expr *)arg2;
2704
if (!e1 || e1->next) {
2706
("illegal right side of conditional binary op expression");
2711
return (struct cond_expr *)arg1;
2713
id = (char *)queue_remove(id_queue);
2715
yyerror("bad conditional; expected boolean id");
2720
if (!is_id_in_scope(SYM_BOOLS, id)) {
2721
yyerror2("boolean %s is not within scope", id);
2727
(cond_bool_datum_t *) hashtab_search(policydbp->p_bools.
2729
(hashtab_key_t) id);
2731
yyerror2("unknown boolean %s in conditional expression",
2737
expr->bool = bool_var->s.value;
2741
yyerror("illegal conditional expression");
2746
static int set_user_roles(role_set_t * set, char *id)
2750
ebitmap_node_t *node;
2752
if (strcmp(id, "*") == 0) {
2754
yyerror("* is not allowed in user declarations");
2758
if (strcmp(id, "~") == 0) {
2760
yyerror("~ is not allowed in user declarations");
2764
if (!is_id_in_scope(SYM_ROLES, id)) {
2765
yyerror2("role %s is not within scope", id);
2769
r = hashtab_search(policydbp->p_roles.table, id);
2771
yyerror2("unknown role %s", id);
2776
/* set the role and every role it dominates */
2777
ebitmap_for_each_bit(&r->dominates, node, i) {
2778
if (ebitmap_node_get_bit(node, i))
2779
if (ebitmap_set_bit(&set->roles, i, TRUE))
2785
yyerror("out of memory");
2789
static int parse_categories(char *id, level_datum_t * levdatum, ebitmap_t * cats)
2791
cat_datum_t *cdatum;
2792
int range_start, range_end, i;
2794
if (id_has_dot(id)) {
2795
char *id_start = id;
2796
char *id_end = strchr(id, '.');
2800
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
2804
yyerror2("unknown category %s", id_start);
2807
range_start = cdatum->s.value - 1;
2808
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
2809
(hashtab_key_t) id_end);
2811
yyerror2("unknown category %s", id_end);
2814
range_end = cdatum->s.value - 1;
2816
if (range_end < range_start) {
2817
yyerror2("category range is invalid");
2821
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
2822
(hashtab_key_t) id);
2824
yyerror2("unknown category %s", id);
2827
range_start = range_end = cdatum->s.value - 1;
2830
for (i = range_start; i <= range_end; i++) {
2831
if (!ebitmap_get_bit(&levdatum->level->cat, i)) {
2832
uint32_t level_value = levdatum->level->sens - 1;
2833
policydb_index_others(NULL, policydbp, 0);
2834
yyerror2("category %s can not be associated "
2836
policydbp->p_cat_val_to_name[i],
2837
policydbp->p_sens_val_to_name[level_value]);
2840
if (ebitmap_set_bit(cats, i, TRUE)) {
2841
yyerror("out of memory");
2849
static int parse_semantic_categories(char *id, level_datum_t * levdatum,
2850
mls_semantic_cat_t ** cats)
2852
cat_datum_t *cdatum;
2853
mls_semantic_cat_t *newcat;
2854
unsigned int range_start, range_end;
2856
if (id_has_dot(id)) {
2857
char *id_start = id;
2858
char *id_end = strchr(id, '.');
2862
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
2866
yyerror2("unknown category %s", id_start);
2869
range_start = cdatum->s.value;
2871
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
2872
(hashtab_key_t) id_end);
2874
yyerror2("unknown category %s", id_end);
2877
range_end = cdatum->s.value;
2879
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
2880
(hashtab_key_t) id);
2882
yyerror2("unknown category %s", id);
2885
range_start = range_end = cdatum->s.value;
2888
newcat = (mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t));
2890
yyerror("out of memory");
2894
mls_semantic_cat_init(newcat);
2895
newcat->next = *cats;
2896
newcat->low = range_start;
2897
newcat->high = range_end;
2904
int define_user(void)
2907
user_datum_t *usrdatum;
2908
level_datum_t *levdatum;
2912
while ((id = queue_remove(id_queue)))
2915
while ((id = queue_remove(id_queue)))
2917
id = queue_remove(id_queue);
2919
for (l = 0; l < 2; l++) {
2920
while ((id = queue_remove(id_queue))) {
2923
id = queue_remove(id_queue);
2932
if ((usrdatum = declare_user()) == NULL) {
2936
while ((id = queue_remove(id_queue))) {
2937
if (set_user_roles(&usrdatum->roles, id))
2942
id = queue_remove(id_queue);
2944
yyerror("no default level specified for user");
2948
levdatum = (level_datum_t *)
2949
hashtab_search(policydbp->p_levels.table,
2950
(hashtab_key_t) id);
2952
yyerror2("unknown sensitivity %s used in user"
2953
" level definition", id);
2959
usrdatum->dfltlevel.sens = levdatum->level->sens;
2961
while ((id = queue_remove(id_queue))) {
2962
if (parse_semantic_categories(id, levdatum,
2963
&usrdatum->dfltlevel.cat)) {
2970
id = queue_remove(id_queue);
2972
for (l = 0; l < 2; l++) {
2973
levdatum = (level_datum_t *)
2974
hashtab_search(policydbp->p_levels.table,
2975
(hashtab_key_t) id);
2977
yyerror2("unknown sensitivity %s used in user"
2978
" range definition", id);
2984
usrdatum->range.level[l].sens = levdatum->level->sens;
2986
while ((id = queue_remove(id_queue))) {
2987
if (parse_semantic_categories(id, levdatum,
2988
&usrdatum->range.level[l].cat)) {
2995
id = queue_remove(id_queue);
3001
if (mls_semantic_level_cpy(&usrdatum->range.level[1],
3002
&usrdatum->range.level[0])) {
3003
yyerror("out of memory");
3011
static int parse_security_context(context_struct_t * c)
3015
type_datum_t *typdatum;
3016
user_datum_t *usrdatum;
3017
level_datum_t *levdatum;
3021
id = queue_remove(id_queue);
3022
free(id); /* user */
3023
id = queue_remove(id_queue);
3024
free(id); /* role */
3025
id = queue_remove(id_queue);
3026
free(id); /* type */
3028
id = queue_remove(id_queue);
3030
for (l = 0; l < 2; l++) {
3031
while ((id = queue_remove(id_queue))) {
3034
id = queue_remove(id_queue);
3045
/* extract the user */
3046
id = queue_remove(id_queue);
3048
yyerror("no effective user?");
3051
if (!is_id_in_scope(SYM_USERS, id)) {
3052
yyerror2("user %s is not within scope", id);
3056
usrdatum = (user_datum_t *) hashtab_search(policydbp->p_users.table,
3057
(hashtab_key_t) id);
3059
yyerror2("user %s is not defined", id);
3063
c->user = usrdatum->s.value;
3065
/* no need to keep the user name */
3068
/* extract the role */
3069
id = (char *)queue_remove(id_queue);
3071
yyerror("no role name for sid context definition?");
3074
if (!is_id_in_scope(SYM_ROLES, id)) {
3075
yyerror2("role %s is not within scope", id);
3079
role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
3080
(hashtab_key_t) id);
3082
yyerror2("role %s is not defined", id);
3086
c->role = role->s.value;
3088
/* no need to keep the role name */
3091
/* extract the type */
3092
id = (char *)queue_remove(id_queue);
3094
yyerror("no type name for sid context definition?");
3097
if (!is_id_in_scope(SYM_TYPES, id)) {
3098
yyerror2("type %s is not within scope", id);
3102
typdatum = (type_datum_t *) hashtab_search(policydbp->p_types.table,
3103
(hashtab_key_t) id);
3104
if (!typdatum || typdatum->flavor == TYPE_ATTRIB) {
3105
yyerror2("type %s is not defined or is an attribute", id);
3109
c->type = typdatum->s.value;
3111
/* no need to keep the type name */
3115
/* extract the low sensitivity */
3116
id = (char *)queue_head(id_queue);
3118
yyerror("no sensitivity name for sid context"
3123
id = (char *)queue_remove(id_queue);
3124
for (l = 0; l < 2; l++) {
3125
levdatum = (level_datum_t *)
3126
hashtab_search(policydbp->p_levels.table,
3127
(hashtab_key_t) id);
3129
yyerror2("Sensitivity %s is not defined", id);
3134
c->range.level[l].sens = levdatum->level->sens;
3136
/* extract low category set */
3137
while ((id = queue_remove(id_queue))) {
3138
if (parse_categories(id, levdatum,
3139
&c->range.level[l].cat)) {
3146
/* extract high sensitivity */
3147
id = (char *)queue_remove(id_queue);
3153
c->range.level[1].sens = c->range.level[0].sens;
3154
if (ebitmap_cpy(&c->range.level[1].cat,
3155
&c->range.level[0].cat)) {
3157
yyerror("out of memory");
3163
if (!policydb_context_isvalid(policydbp, c)) {
3164
yyerror("invalid security context");
3175
int define_initial_sid_context(void)
3178
ocontext_t *c, *head;
3181
id = (char *)queue_remove(id_queue);
3183
parse_security_context(NULL);
3187
id = (char *)queue_remove(id_queue);
3189
yyerror("no sid name for SID context definition?");
3192
head = policydbp->ocontexts[OCON_ISID];
3193
for (c = head; c; c = c->next) {
3194
if (!strcmp(id, c->u.name))
3199
yyerror2("SID %s is not defined", id);
3203
if (c->context[0].user) {
3204
yyerror2("The context for SID %s is multiply defined", id);
3208
/* no need to keep the sid name */
3211
if (parse_security_context(&c->context[0]))
3217
int define_fs_context(unsigned int major, unsigned int minor)
3219
ocontext_t *newc, *c, *head;
3222
parse_security_context(NULL);
3223
parse_security_context(NULL);
3227
newc = (ocontext_t *) malloc(sizeof(ocontext_t));
3229
yyerror("out of memory");
3232
memset(newc, 0, sizeof(ocontext_t));
3234
newc->u.name = (char *)malloc(6);
3235
if (!newc->u.name) {
3236
yyerror("out of memory");
3240
sprintf(newc->u.name, "%02x:%02x", major, minor);
3242
if (parse_security_context(&newc->context[0])) {
3247
if (parse_security_context(&newc->context[1])) {
3248
context_destroy(&newc->context[0]);
3253
head = policydbp->ocontexts[OCON_FS];
3255
for (c = head; c; c = c->next) {
3256
if (!strcmp(newc->u.name, c->u.name)) {
3257
yyerror2("duplicate entry for file system %s",
3259
context_destroy(&newc->context[0]);
3260
context_destroy(&newc->context[1]);
3268
policydbp->ocontexts[OCON_FS] = newc;
3273
int define_port_context(unsigned int low, unsigned int high)
3275
ocontext_t *newc, *c, *l, *head;
3276
unsigned int protocol;
3280
id = (char *)queue_remove(id_queue);
3282
parse_security_context(NULL);
3286
newc = malloc(sizeof(ocontext_t));
3288
yyerror("out of memory");
3291
memset(newc, 0, sizeof(ocontext_t));
3293
id = (char *)queue_remove(id_queue);
3298
if ((strcmp(id, "tcp") == 0) || (strcmp(id, "TCP") == 0)) {
3299
protocol = IPPROTO_TCP;
3300
} else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) {
3301
protocol = IPPROTO_UDP;
3303
yyerror2("unrecognized protocol %s", id);
3308
newc->u.port.protocol = protocol;
3309
newc->u.port.low_port = low;
3310
newc->u.port.high_port = high;
3313
yyerror2("low port %d exceeds high port %d", low, high);
3318
if (parse_security_context(&newc->context[0])) {
3323
/* Preserve the matching order specified in the configuration. */
3324
head = policydbp->ocontexts[OCON_PORT];
3325
for (l = NULL, c = head; c; l = c, c = c->next) {
3326
unsigned int prot2, low2, high2;
3328
prot2 = c->u.port.protocol;
3329
low2 = c->u.port.low_port;
3330
high2 = c->u.port.high_port;
3331
if (protocol != prot2)
3333
if (low == low2 && high == high2) {
3334
yyerror2("duplicate portcon entry for %s %d-%d ", id,
3338
if (low2 <= low && high2 >= high) {
3339
yyerror2("portcon entry for %s %d-%d hidden by earlier "
3340
"entry for %d-%d", id, low, high, low2, high2);
3348
policydbp->ocontexts[OCON_PORT] = newc;
3357
int define_netif_context(void)
3359
ocontext_t *newc, *c, *head;
3362
free(queue_remove(id_queue));
3363
parse_security_context(NULL);
3364
parse_security_context(NULL);
3368
newc = (ocontext_t *) malloc(sizeof(ocontext_t));
3370
yyerror("out of memory");
3373
memset(newc, 0, sizeof(ocontext_t));
3375
newc->u.name = (char *)queue_remove(id_queue);
3376
if (!newc->u.name) {
3380
if (parse_security_context(&newc->context[0])) {
3385
if (parse_security_context(&newc->context[1])) {
3386
context_destroy(&newc->context[0]);
3391
head = policydbp->ocontexts[OCON_NETIF];
3393
for (c = head; c; c = c->next) {
3394
if (!strcmp(newc->u.name, c->u.name)) {
3395
yyerror2("duplicate entry for network interface %s",
3397
context_destroy(&newc->context[0]);
3398
context_destroy(&newc->context[1]);
3406
policydbp->ocontexts[OCON_NETIF] = newc;
3410
int define_ipv4_node_context()
3414
struct in_addr addr, mask;
3415
ocontext_t *newc, *c, *l, *head;
3418
free(queue_remove(id_queue));
3419
free(queue_remove(id_queue));
3420
parse_security_context(NULL);
3424
id = queue_remove(id_queue);
3426
yyerror("failed to read ipv4 address");
3431
rc = inet_pton(AF_INET, id, &addr);
3434
yyerror("failed to parse ipv4 address");
3440
id = queue_remove(id_queue);
3442
yyerror("failed to read ipv4 address");
3447
rc = inet_pton(AF_INET, id, &mask);
3450
yyerror("failed to parse ipv4 mask");
3456
newc = malloc(sizeof(ocontext_t));
3458
yyerror("out of memory");
3463
memset(newc, 0, sizeof(ocontext_t));
3464
newc->u.node.addr = addr.s_addr;
3465
newc->u.node.mask = mask.s_addr;
3467
if (parse_security_context(&newc->context[0])) {
3472
/* Create order of most specific to least retaining
3473
the order specified in the configuration. */
3474
head = policydbp->ocontexts[OCON_NODE];
3475
for (l = NULL, c = head; c; l = c, c = c->next) {
3476
if (newc->u.node.mask > c->u.node.mask)
3485
policydbp->ocontexts[OCON_NODE] = newc;
3491
int define_ipv6_node_context(void)
3495
struct in6_addr addr, mask;
3496
ocontext_t *newc, *c, *l, *head;
3499
free(queue_remove(id_queue));
3500
free(queue_remove(id_queue));
3501
parse_security_context(NULL);
3505
id = queue_remove(id_queue);
3507
yyerror("failed to read ipv6 address");
3512
rc = inet_pton(AF_INET6, id, &addr);
3515
yyerror("failed to parse ipv6 address");
3521
id = queue_remove(id_queue);
3523
yyerror("failed to read ipv6 address");
3528
rc = inet_pton(AF_INET6, id, &mask);
3531
yyerror("failed to parse ipv6 mask");
3537
newc = malloc(sizeof(ocontext_t));
3539
yyerror("out of memory");
3544
memset(newc, 0, sizeof(ocontext_t));
3545
memcpy(&newc->u.node6.addr[0], &addr.s6_addr32[0], 16);
3546
memcpy(&newc->u.node6.mask[0], &mask.s6_addr32[0], 16);
3548
if (parse_security_context(&newc->context[0])) {
3554
/* Create order of most specific to least retaining
3555
the order specified in the configuration. */
3556
head = policydbp->ocontexts[OCON_NODE6];
3557
for (l = NULL, c = head; c; l = c, c = c->next) {
3558
if (memcmp(&newc->u.node6.mask, &c->u.node6.mask, 16) > 0)
3567
policydbp->ocontexts[OCON_NODE6] = newc;
3574
int define_fs_use(int behavior)
3576
ocontext_t *newc, *c, *head;
3579
free(queue_remove(id_queue));
3580
parse_security_context(NULL);
3584
newc = (ocontext_t *) malloc(sizeof(ocontext_t));
3586
yyerror("out of memory");
3589
memset(newc, 0, sizeof(ocontext_t));
3591
newc->u.name = (char *)queue_remove(id_queue);
3592
if (!newc->u.name) {
3596
newc->v.behavior = behavior;
3597
if (parse_security_context(&newc->context[0])) {
3603
head = policydbp->ocontexts[OCON_FSUSE];
3605
for (c = head; c; c = c->next) {
3606
if (!strcmp(newc->u.name, c->u.name)) {
3607
yyerror2("duplicate fs_use entry for filesystem type %s",
3609
context_destroy(&newc->context[0]);
3617
policydbp->ocontexts[OCON_FSUSE] = newc;
3621
int define_genfs_context_helper(char *fstype, int has_type)
3623
struct genfs *genfs_p, *genfs, *newgenfs;
3624
ocontext_t *newc, *c, *head, *p;
3630
free(queue_remove(id_queue));
3632
free(queue_remove(id_queue));
3633
parse_security_context(NULL);
3637
for (genfs_p = NULL, genfs = policydbp->genfs;
3638
genfs; genfs_p = genfs, genfs = genfs->next) {
3639
if (strcmp(fstype, genfs->fstype) <= 0)
3643
if (!genfs || strcmp(fstype, genfs->fstype)) {
3644
newgenfs = malloc(sizeof(struct genfs));
3646
yyerror("out of memory");
3649
memset(newgenfs, 0, sizeof(struct genfs));
3650
newgenfs->fstype = fstype;
3651
newgenfs->next = genfs;
3653
genfs_p->next = newgenfs;
3655
policydbp->genfs = newgenfs;
3659
newc = (ocontext_t *) malloc(sizeof(ocontext_t));
3661
yyerror("out of memory");
3664
memset(newc, 0, sizeof(ocontext_t));
3666
newc->u.name = (char *)queue_remove(id_queue);
3670
type = (char *)queue_remove(id_queue);
3674
yyerror2("invalid type %s", type);
3679
newc->v.sclass = SECCLASS_BLK_FILE;
3682
newc->v.sclass = SECCLASS_CHR_FILE;
3685
newc->v.sclass = SECCLASS_DIR;
3688
newc->v.sclass = SECCLASS_FIFO_FILE;
3691
newc->v.sclass = SECCLASS_LNK_FILE;
3694
newc->v.sclass = SECCLASS_SOCK_FILE;
3697
newc->v.sclass = SECCLASS_FILE;
3700
yyerror2("invalid type %s", type);
3704
if (parse_security_context(&newc->context[0]))
3709
for (p = NULL, c = head; c; p = c, c = c->next) {
3710
if (!strcmp(newc->u.name, c->u.name) &&
3711
(!newc->v.sclass || !c->v.sclass
3712
|| newc->v.sclass == c->v.sclass)) {
3713
yyerror2("duplicate entry for genfs entry (%s, %s)",
3714
fstype, newc->u.name);
3717
len = strlen(newc->u.name);
3718
len2 = strlen(c->u.name);
3732
context_destroy(&newc->context[0]);
3741
int define_genfs_context(int has_type)
3743
return define_genfs_context_helper(queue_remove(id_queue), has_type);
3746
int define_range_trans(int class_specified)
3749
level_datum_t *levdatum = 0;
3750
class_datum_t *cladatum;
3751
range_trans_rule_t *rule;
3755
yyerror("range_transition rule in non-MLS configuration");
3760
while ((id = queue_remove(id_queue)))
3762
while ((id = queue_remove(id_queue)))
3764
if (class_specified)
3765
while ((id = queue_remove(id_queue)))
3767
id = queue_remove(id_queue);
3769
for (l = 0; l < 2; l++) {
3770
while ((id = queue_remove(id_queue))) {
3773
id = queue_remove(id_queue);
3781
rule = malloc(sizeof(struct range_trans_rule));
3783
yyerror("out of memory");
3786
range_trans_rule_init(rule);
3788
while ((id = queue_remove(id_queue))) {
3789
if (set_types(&rule->stypes, id, &add, 0))
3793
while ((id = queue_remove(id_queue))) {
3794
if (set_types(&rule->ttypes, id, &add, 0))
3798
if (class_specified) {
3799
while ((id = queue_remove(id_queue))) {
3800
if (!is_id_in_scope(SYM_CLASSES, id)) {
3801
yyerror2("class %s is not within scope", id);
3805
cladatum = hashtab_search(policydbp->p_classes.table,
3808
yyerror2("unknown class %s", id);
3812
ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1,
3817
cladatum = hashtab_search(policydbp->p_classes.table,
3820
yyerror2("could not find process class for "
3821
"legacy range_transition statement");
3825
ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE);
3828
id = (char *)queue_remove(id_queue);
3830
yyerror("no range in range_transition definition?");
3833
for (l = 0; l < 2; l++) {
3834
levdatum = hashtab_search(policydbp->p_levels.table, id);
3836
yyerror2("unknown level %s used in range_transition "
3843
rule->trange.level[l].sens = levdatum->level->sens;
3845
while ((id = queue_remove(id_queue))) {
3846
if (parse_semantic_categories(id, levdatum,
3847
&rule->trange.level[l].cat)) {
3854
id = (char *)queue_remove(id_queue);
3859
if (mls_semantic_level_cpy(&rule->trange.level[1],
3860
&rule->trange.level[0])) {
3861
yyerror("out of memory");
3866
append_range_trans(rule);
3870
range_trans_rule_destroy(rule);