840
779
avrule_user_defs : user_def avrule_user_defs
845
/* initialize all of the state variables for the scanner/parser */
846
void init_parser(int pass_number)
854
void yyerror2(char *fmt, ...)
858
vsnprintf(errormsg, ERRORMSG_LEN, fmt, ap);
865
static int insert_separator(int push)
870
error = queue_push(id_queue, 0);
872
error = queue_insert(id_queue, 0);
875
yyerror("queue overflow");
881
static int insert_id(char *id, int push)
886
newid = (char *)malloc(strlen(id) + 1);
888
yyerror("out of memory");
893
error = queue_push(id_queue, (queue_element_t) newid);
895
error = queue_insert(id_queue, (queue_element_t) newid);
898
yyerror("queue overflow");
905
/* If the identifier has a dot within it and that its first character
906
is not a dot then return 1, else return 0. */
907
static int id_has_dot(char *id)
909
if (strchr(id, '.') >= id + 1) {
915
static int define_class(void)
918
class_datum_t *datum = 0;
923
id = queue_remove(id_queue);
928
id = (char *)queue_remove(id_queue);
930
yyerror("no class name for class definition?");
933
datum = (class_datum_t *) malloc(sizeof(class_datum_t));
935
yyerror("out of memory");
938
memset(datum, 0, sizeof(class_datum_t));
939
ret = declare_symbol(SYM_CLASSES, id, datum, &value, &value);
942
yyerror("Out of memory!");
946
yyerror2("duplicate declaration of class %s", id);
950
yyerror("could not declare class here");
958
assert(0); /* should never get here */
961
datum->s.value = value;
972
static int define_polcap(void)
978
id = queue_remove(id_queue);
983
id = (char *)queue_remove(id_queue);
985
yyerror("no capability name for policycap definition?");
989
/* Check for valid cap name -> number mapping */
990
capnum = sepol_polcap_getnum(id);
992
yyerror2("invalid policy capability name %s", id);
997
if (ebitmap_set_bit(&policydbp->policycaps, capnum, TRUE)) {
998
yyerror("out of memory");
1010
static int define_initial_sid(void)
1013
ocontext_t *newc = 0, *c, *head;
1016
id = queue_remove(id_queue);
1021
id = (char *)queue_remove(id_queue);
1023
yyerror("no sid name for SID definition?");
1026
newc = (ocontext_t *) malloc(sizeof(ocontext_t));
1028
yyerror("out of memory");
1031
memset(newc, 0, sizeof(ocontext_t));
1033
context_init(&newc->context[0]);
1034
head = policydbp->ocontexts[OCON_ISID];
1036
for (c = head; c; c = c->next) {
1037
if (!strcmp(newc->u.name, c->u.name)) {
1038
sprintf(errormsg, "duplicate initial SID %s", id);
1045
newc->sid[0] = head->sid[0] + 1;
1050
policydbp->ocontexts[OCON_ISID] = newc;
1062
static int define_common_perms(void)
1064
char *id = 0, *perm = 0;
1065
common_datum_t *comdatum = 0;
1066
perm_datum_t *perdatum = 0;
1070
while ((id = queue_remove(id_queue)))
1075
id = (char *)queue_remove(id_queue);
1077
yyerror("no common name for common perm definition?");
1080
comdatum = hashtab_search(policydbp->p_commons.table, id);
1082
snprintf(errormsg, ERRORMSG_LEN,
1083
"duplicate declaration for common %s\n", id);
1087
comdatum = (common_datum_t *) malloc(sizeof(common_datum_t));
1089
yyerror("out of memory");
1092
memset(comdatum, 0, sizeof(common_datum_t));
1093
ret = hashtab_insert(policydbp->p_commons.table,
1094
(hashtab_key_t) id, (hashtab_datum_t) comdatum);
1096
if (ret == SEPOL_EEXIST) {
1097
yyerror("duplicate common definition");
1100
if (ret == SEPOL_ENOMEM) {
1101
yyerror("hash table overflow");
1104
comdatum->s.value = policydbp->p_commons.nprim + 1;
1105
if (symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE)) {
1106
yyerror("out of memory");
1109
policydbp->p_commons.nprim++;
1110
while ((perm = queue_remove(id_queue))) {
1111
perdatum = (perm_datum_t *) malloc(sizeof(perm_datum_t));
1113
yyerror("out of memory");
1116
memset(perdatum, 0, sizeof(perm_datum_t));
1117
perdatum->s.value = comdatum->permissions.nprim + 1;
1119
if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) {
1121
("too many permissions to fit in an access vector");
1124
ret = hashtab_insert(comdatum->permissions.table,
1125
(hashtab_key_t) perm,
1126
(hashtab_datum_t) perdatum);
1128
if (ret == SEPOL_EEXIST) {
1130
"duplicate permission %s in common %s", perm,
1135
if (ret == SEPOL_ENOMEM) {
1136
yyerror("hash table overflow");
1139
comdatum->permissions.nprim++;
1159
static int define_av_perms(int inherits)
1162
class_datum_t *cladatum;
1163
common_datum_t *comdatum;
1164
perm_datum_t *perdatum = 0, *perdatum2 = 0;
1168
while ((id = queue_remove(id_queue)))
1173
id = (char *)queue_remove(id_queue);
1175
yyerror("no tclass name for av perm definition?");
1178
cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table,
1179
(hashtab_key_t) id);
1181
sprintf(errormsg, "class %s is not defined", id);
1187
if (cladatum->comdatum || cladatum->permissions.nprim) {
1188
yyerror("duplicate access vector definition");
1191
if (symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE)) {
1192
yyerror("out of memory");
1196
id = (char *)queue_remove(id_queue);
1199
("no inherits name for access vector definition?");
1203
(common_datum_t *) hashtab_search(policydbp->p_commons.
1205
(hashtab_key_t) id);
1208
sprintf(errormsg, "common %s is not defined", id);
1212
cladatum->comkey = id;
1213
cladatum->comdatum = comdatum;
1216
* Class-specific permissions start with values
1217
* after the last common permission.
1219
cladatum->permissions.nprim += comdatum->permissions.nprim;
1221
while ((id = queue_remove(id_queue))) {
1222
perdatum = (perm_datum_t *) malloc(sizeof(perm_datum_t));
1224
yyerror("out of memory");
1227
memset(perdatum, 0, sizeof(perm_datum_t));
1228
perdatum->s.value = ++cladatum->permissions.nprim;
1230
if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) {
1232
("too many permissions to fit in an access vector");
1237
* Class-specific permissions and
1238
* common permissions exist in the same
1242
(perm_datum_t *) hashtab_search(cladatum->comdatum->
1244
(hashtab_key_t) id);
1247
"permission %s conflicts with an inherited permission",
1253
ret = hashtab_insert(cladatum->permissions.table,
1255
(hashtab_datum_t) perdatum);
1257
if (ret == SEPOL_EEXIST) {
1258
sprintf(errormsg, "duplicate permission %s", id);
1262
if (ret == SEPOL_ENOMEM) {
1263
yyerror("hash table overflow");
1266
if (add_perm_to_class(perdatum->s.value, cladatum->s.value)) {
1267
yyerror("out of memory");
1282
static int define_sens(void)
1285
mls_level_t *level = 0;
1286
level_datum_t *datum = 0, *aliasdatum = 0;
1288
uint32_t value; /* dummy variable -- its value is never used */
1291
yyerror("sensitivity definition in non-MLS configuration");
1296
while ((id = queue_remove(id_queue)))
1301
id = (char *)queue_remove(id_queue);
1303
yyerror("no sensitivity name for sensitivity definition?");
1306
if (id_has_dot(id)) {
1307
yyerror("sensitivity identifiers may not contain periods");
1310
level = (mls_level_t *) malloc(sizeof(mls_level_t));
1312
yyerror("out of memory");
1315
mls_level_init(level);
1316
level->sens = 0; /* actual value set in define_dominance */
1317
ebitmap_init(&level->cat); /* actual value set in define_level */
1319
datum = (level_datum_t *) malloc(sizeof(level_datum_t));
1321
yyerror("out of memory");
1324
level_datum_init(datum);
1325
datum->isalias = FALSE;
1326
datum->level = level;
1328
ret = declare_symbol(SYM_LEVELS, id, datum, &value, &value);
1331
yyerror("Out of memory!");
1335
yyerror("duplicate declaration of sensitivity level");
1339
yyerror("could not declare sensitivity level here");
1347
assert(0); /* should never get here */
1351
while ((id = queue_remove(id_queue))) {
1352
if (id_has_dot(id)) {
1353
yyerror("sensitivity aliases may not contain periods");
1356
aliasdatum = (level_datum_t *) malloc(sizeof(level_datum_t));
1358
yyerror("out of memory");
1361
level_datum_init(aliasdatum);
1362
aliasdatum->isalias = TRUE;
1363
aliasdatum->level = level;
1365
ret = declare_symbol(SYM_LEVELS, id, aliasdatum, NULL, &value);
1368
yyerror("Out of memory!");
1373
("duplicate declaration of sensitivity alias");
1378
("could not declare sensitivity alias here");
1386
assert(0); /* should never get here */
1399
level_datum_destroy(datum);
1408
level_datum_destroy(aliasdatum);
1414
static int define_dominance(void)
1416
level_datum_t *datum;
1421
yyerror("dominance definition in non-MLS configuration");
1426
while ((id = queue_remove(id_queue)))
1432
while ((id = (char *)queue_remove(id_queue))) {
1434
(level_datum_t *) hashtab_search(policydbp->p_levels.table,
1435
(hashtab_key_t) id);
1438
"unknown sensitivity %s used in dominance definition",
1444
if (datum->level->sens != 0) {
1446
"sensitivity %s occurs multiply in dominance definition",
1452
datum->level->sens = ++order;
1454
/* no need to keep sensitivity name */
1458
if (order != policydbp->p_levels.nprim) {
1460
("all sensitivities must be specified in dominance definition");
1466
static int define_category(void)
1469
cat_datum_t *datum = 0, *aliasdatum = 0;
1474
yyerror("category definition in non-MLS configuration");
1479
while ((id = queue_remove(id_queue)))
1484
id = (char *)queue_remove(id_queue);
1486
yyerror("no category name for category definition?");
1489
if (id_has_dot(id)) {
1490
yyerror("category identifiers may not contain periods");
1493
datum = (cat_datum_t *) malloc(sizeof(cat_datum_t));
1495
yyerror("out of memory");
1498
cat_datum_init(datum);
1499
datum->isalias = FALSE;
1501
ret = declare_symbol(SYM_CATS, id, datum, &value, &value);
1504
yyerror("Out of memory!");
1508
yyerror("duplicate declaration of category");
1512
yyerror("could not declare category here");
1520
assert(0); /* should never get here */
1523
datum->s.value = value;
1525
while ((id = queue_remove(id_queue))) {
1526
if (id_has_dot(id)) {
1527
yyerror("category aliases may not contain periods");
1530
aliasdatum = (cat_datum_t *) malloc(sizeof(cat_datum_t));
1532
yyerror("out of memory");
1535
cat_datum_init(aliasdatum);
1536
aliasdatum->isalias = TRUE;
1537
aliasdatum->s.value = datum->s.value;
1540
declare_symbol(SYM_CATS, id, aliasdatum, NULL,
1544
yyerror("Out of memory!");
1549
("duplicate declaration of category aliases");
1554
("could not declare category aliases here");
1562
assert(0); /* should never get here */
1573
cat_datum_destroy(datum);
1582
cat_datum_destroy(aliasdatum);
1588
static int clone_level(hashtab_key_t key, hashtab_datum_t datum, void *arg)
1590
level_datum_t *levdatum = (level_datum_t *) datum;
1591
mls_level_t *level = (mls_level_t *) arg, *newlevel;
1593
if (levdatum->level == level) {
1594
levdatum->defined = 1;
1595
if (!levdatum->isalias)
1597
newlevel = (mls_level_t *) malloc(sizeof(mls_level_t));
1600
if (mls_level_cpy(newlevel, level)) {
1604
levdatum->level = newlevel;
1609
static int define_level(void)
1612
level_datum_t *levdatum;
1615
yyerror("level definition in non-MLS configuration");
1620
while ((id = queue_remove(id_queue)))
1625
id = (char *)queue_remove(id_queue);
1627
yyerror("no level name for level definition?");
1630
levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table,
1631
(hashtab_key_t) id);
1634
"unknown sensitivity %s used in level definition", id);
1639
if (ebitmap_length(&levdatum->level->cat)) {
1641
"sensitivity %s used in multiple level definitions",
1649
levdatum->defined = 1;
1651
while ((id = queue_remove(id_queue))) {
1652
cat_datum_t *cdatum;
1653
int range_start, range_end, i;
1655
if (id_has_dot(id)) {
1656
char *id_start = id;
1657
char *id_end = strchr(id, '.');
1662
(cat_datum_t *) hashtab_search(policydbp->p_cats.
1667
sprintf(errormsg, "unknown category %s",
1673
range_start = cdatum->s.value - 1;
1675
(cat_datum_t *) hashtab_search(policydbp->p_cats.
1680
sprintf(errormsg, "unknown category %s",
1686
range_end = cdatum->s.value - 1;
1688
if (range_end < range_start) {
1689
sprintf(errormsg, "category range is invalid");
1696
(cat_datum_t *) hashtab_search(policydbp->p_cats.
1698
(hashtab_key_t) id);
1699
range_start = range_end = cdatum->s.value - 1;
1702
for (i = range_start; i <= range_end; i++) {
1703
if (ebitmap_set_bit(&levdatum->level->cat, i, TRUE)) {
1704
yyerror("out of memory");
1714
(policydbp->p_levels.table, clone_level, levdatum->level)) {
1715
yyerror("out of memory");
1722
static int define_attrib(void)
1725
free(queue_remove(id_queue));
1729
if (declare_type(TRUE, TRUE) == NULL) {
1735
static int add_aliases_to_type(type_datum_t * type)
1738
type_datum_t *aliasdatum = NULL;
1740
while ((id = queue_remove(id_queue))) {
1741
if (id_has_dot(id)) {
1744
("type alias identifiers may not contain periods");
1747
aliasdatum = (type_datum_t *) malloc(sizeof(type_datum_t));
1750
yyerror("Out of memory!");
1753
memset(aliasdatum, 0, sizeof(type_datum_t));
1754
aliasdatum->s.value = type->s.value;
1756
ret = declare_symbol(SYM_TYPES, id, aliasdatum,
1757
NULL, &aliasdatum->s.value);
1760
yyerror("Out of memory!");
1764
yyerror2("duplicate declaration of alias %s",
1769
yyerror("could not declare alias here");
1777
assert(0); /* should never get here */
1784
type_datum_destroy(aliasdatum);
1789
static int define_typealias(void)
1795
while ((id = queue_remove(id_queue)))
1800
id = (char *)queue_remove(id_queue);
1802
yyerror("no type name for typealias definition?");
1806
if (!is_id_in_scope(SYM_TYPES, id)) {
1807
yyerror2("type %s is not within scope", id);
1811
t = hashtab_search(policydbp->p_types.table, id);
1812
if (!t || t->flavor == TYPE_ATTRIB) {
1814
"unknown type %s, or it was already declared as an attribute",
1820
return add_aliases_to_type(t);
1823
static int define_typeattribute(void)
1826
type_datum_t *t, *attr;
1829
while ((id = queue_remove(id_queue)))
1834
id = (char *)queue_remove(id_queue);
1836
yyerror("no type name for typeattribute definition?");
1840
if (!is_id_in_scope(SYM_TYPES, id)) {
1841
yyerror2("type %s is not within scope", id);
1845
t = hashtab_search(policydbp->p_types.table, id);
1846
if (!t || t->flavor == TYPE_ATTRIB) {
1847
sprintf(errormsg, "unknown type %s", id);
1853
while ((id = queue_remove(id_queue))) {
1854
if (!is_id_in_scope(SYM_TYPES, id)) {
1855
yyerror2("attribute %s is not within scope", id);
1859
attr = hashtab_search(policydbp->p_types.table, id);
1861
sprintf(errormsg, "attribute %s is not declared", id);
1862
/* treat it as a fatal error */
1868
if (attr->flavor != TYPE_ATTRIB) {
1869
sprintf(errormsg, "%s is a type, not an attribute", id);
1875
if ((attr = get_local_type(id, attr->s.value, 1)) == NULL) {
1876
yyerror("Out of memory!");
1880
if (ebitmap_set_bit(&attr->types, (t->s.value - 1), TRUE)) {
1881
yyerror("out of memory");
1889
static int define_type(int alias)
1892
type_datum_t *datum, *attr;
1896
while ((id = queue_remove(id_queue)))
1899
while ((id = queue_remove(id_queue)))
1905
if ((datum = declare_type(TRUE, FALSE)) == NULL) {
1910
if (add_aliases_to_type(datum) == -1) {
1915
while ((id = queue_remove(id_queue))) {
1916
if (!is_id_in_scope(SYM_TYPES, id)) {
1917
yyerror2("attribute %s is not within scope", id);
1921
attr = hashtab_search(policydbp->p_types.table, id);
1923
sprintf(errormsg, "attribute %s is not declared", id);
1925
/* treat it as a fatal error */
1932
if (attr->flavor != TYPE_ATTRIB) {
1933
sprintf(errormsg, "%s is a type, not an attribute", id);
1938
if ((attr = get_local_type(id, attr->s.value, 1)) == NULL) {
1939
yyerror("Out of memory!");
1943
if (ebitmap_set_bit(&attr->types, datum->s.value - 1, TRUE)) {
1944
yyerror("Out of memory");
1952
struct val_to_name {
1957
/* Adds a type, given by its textual name, to a typeset. If *add is
1958
0, then add the type to the negative set; otherwise if *add is 1
1959
then add it to the positive side. */
1960
static int set_types(type_set_t * set, char *id, int *add, char starallowed)
1964
if (strcmp(id, "*") == 0) {
1966
yyerror("* not allowed in this type of rule");
1969
/* set TYPE_STAR flag */
1970
set->flags = TYPE_STAR;
1976
if (strcmp(id, "~") == 0) {
1978
yyerror("~ not allowed in this type of rule");
1981
/* complement the set */
1982
set->flags = TYPE_COMP;
1988
if (strcmp(id, "-") == 0) {
1994
if (!is_id_in_scope(SYM_TYPES, id)) {
1995
yyerror2("type %s is not within scope", id);
1999
t = hashtab_search(policydbp->p_types.table, id);
2001
snprintf(errormsg, ERRORMSG_LEN, "unknown type %s", id);
2008
if (ebitmap_set_bit(&set->negset, t->s.value - 1, TRUE))
2011
if (ebitmap_set_bit(&set->types, t->s.value - 1, TRUE))
2018
yyerror("Out of memory");
2023
static int define_compute_type_helper(int which, avrule_t ** rule)
2026
type_datum_t *datum;
2027
class_datum_t *cladatum;
2029
ebitmap_node_t *node;
2031
class_perm_node_t *perm;
2034
avrule = malloc(sizeof(avrule_t));
2036
yyerror("out of memory");
2039
avrule_init(avrule);
2040
avrule->specified = which;
2041
avrule->line = policydb_lineno;
2043
while ((id = queue_remove(id_queue))) {
2044
if (set_types(&avrule->stypes, id, &add, 0))
2048
while ((id = queue_remove(id_queue))) {
2049
if (set_types(&avrule->ttypes, id, &add, 0))
2053
ebitmap_init(&tclasses);
2054
while ((id = queue_remove(id_queue))) {
2055
if (!is_id_in_scope(SYM_CLASSES, id)) {
2056
yyerror2("class %s is not within scope", id);
2060
cladatum = hashtab_search(policydbp->p_classes.table, id);
2062
sprintf(errormsg, "unknown class %s", id);
2066
if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
2067
yyerror("Out of memory");
2073
id = (char *)queue_remove(id_queue);
2075
yyerror("no newtype?");
2078
if (!is_id_in_scope(SYM_TYPES, id)) {
2079
yyerror2("type %s is not within scope", id);
2083
datum = (type_datum_t *) hashtab_search(policydbp->p_types.table,
2084
(hashtab_key_t) id);
2085
if (!datum || datum->flavor == TYPE_ATTRIB) {
2086
sprintf(errormsg, "unknown type %s", id);
2091
ebitmap_for_each_bit(&tclasses, node, i) {
2092
if (ebitmap_node_get_bit(node, i)) {
2093
perm = malloc(sizeof(class_perm_node_t));
2095
yyerror("out of memory");
2098
class_perm_node_init(perm);
2099
perm->class = i + 1;
2100
perm->data = datum->s.value;
2101
perm->next = avrule->perms;
2102
avrule->perms = perm;
2105
ebitmap_destroy(&tclasses);
2111
avrule_destroy(avrule);
2116
static int define_compute_type(int which)
2122
while ((id = queue_remove(id_queue)))
2124
while ((id = queue_remove(id_queue)))
2126
while ((id = queue_remove(id_queue)))
2128
id = queue_remove(id_queue);
2133
if (define_compute_type_helper(which, &avrule))
2136
append_avrule(avrule);
2140
static avrule_t *define_cond_compute_type(int which)
2146
while ((id = queue_remove(id_queue)))
2148
while ((id = queue_remove(id_queue)))
2150
while ((id = queue_remove(id_queue)))
2152
id = queue_remove(id_queue);
2154
return (avrule_t *) 1;
2157
if (define_compute_type_helper(which, &avrule))
2163
static int define_bool(void)
2165
char *id, *bool_value;
2166
cond_bool_datum_t *datum;
2171
while ((id = queue_remove(id_queue)))
2176
id = (char *)queue_remove(id_queue);
2178
yyerror("no identifier for bool definition?");
2181
if (id_has_dot(id)) {
2183
yyerror("boolean identifiers may not contain periods");
2186
datum = (cond_bool_datum_t *) malloc(sizeof(cond_bool_datum_t));
2188
yyerror("out of memory");
2192
memset(datum, 0, sizeof(cond_bool_datum_t));
2193
ret = declare_symbol(SYM_BOOLS, id, datum, &value, &value);
2196
yyerror("Out of memory!");
2200
yyerror2("duplicate declaration of boolean %s", id);
2204
yyerror("could not declare boolean here");
2212
assert(0); /* should never get here */
2215
datum->s.value = value;
2217
bool_value = (char *)queue_remove(id_queue);
2219
yyerror("no default value for bool definition?");
2224
datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
2227
cond_destroy_bool(id, datum, NULL);
2231
static avrule_t *define_cond_pol_list(avrule_t * avlist, avrule_t * sl)
2234
/* return something so we get through pass 1 */
2235
return (avrule_t *) 1;
2239
/* This is a require block, return previous list */
2243
/* prepend the new avlist to the pre-existing one */
2248
static int define_te_avtab_helper(int which, avrule_t ** rule)
2251
class_datum_t *cladatum;
2252
perm_datum_t *perdatum = NULL;
2253
class_perm_node_t *perms, *tail = NULL, *cur_perms = NULL;
2255
ebitmap_node_t *node;
2258
int add = 1, ret = 0;
2261
avrule = (avrule_t *) malloc(sizeof(avrule_t));
2263
yyerror("memory error");
2267
avrule_init(avrule);
2268
avrule->specified = which;
2269
avrule->line = policydb_lineno;
2271
while ((id = queue_remove(id_queue))) {
2273
(&avrule->stypes, id, &add,
2274
which == AVRULE_NEVERALLOW ? 1 : 0)) {
2280
while ((id = queue_remove(id_queue))) {
2281
if (strcmp(id, "self") == 0) {
2283
avrule->flags |= RULE_SELF;
2287
(&avrule->ttypes, id, &add,
2288
which == AVRULE_NEVERALLOW ? 1 : 0)) {
2294
ebitmap_init(&tclasses);
2295
while ((id = queue_remove(id_queue))) {
2296
if (!is_id_in_scope(SYM_CLASSES, id)) {
2297
yyerror2("class %s is not within scope", id);
2301
cladatum = hashtab_search(policydbp->p_classes.table, id);
2303
sprintf(errormsg, "unknown class %s used in rule", id);
2308
if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
2309
yyerror("Out of memory");
2317
ebitmap_for_each_bit(&tclasses, node, i) {
2318
if (!ebitmap_node_get_bit(node, i))
2321
(class_perm_node_t *) malloc(sizeof(class_perm_node_t));
2323
yyerror("out of memory");
2327
class_perm_node_init(cur_perms);
2328
cur_perms->class = i + 1;
2332
tail->next = cur_perms;
2336
while ((id = queue_remove(id_queue))) {
2338
ebitmap_for_each_bit(&tclasses, node, i) {
2339
if (!ebitmap_node_get_bit(node, i))
2341
cladatum = policydbp->class_val_to_struct[i];
2343
if (strcmp(id, "*") == 0) {
2344
/* set all permissions in the class */
2345
cur_perms->data = ~0U;
2349
if (strcmp(id, "~") == 0) {
2350
/* complement the set */
2351
if (which == AVRULE_DONTAUDIT)
2352
yywarn("dontaudit rule with a ~?");
2353
cur_perms->data = ~cur_perms->data;
2358
hashtab_search(cladatum->permissions.table, id);
2360
if (cladatum->comdatum) {
2362
hashtab_search(cladatum->comdatum->
2369
"permission %s is not defined for class %s",
2370
id, policydbp->p_class_val_to_name[i]);
2375
if (!is_perm_in_scope
2376
(id, policydbp->p_class_val_to_name[i])) {
2379
("permission %s of class %s is not within scope",
2381
policydbp->p_class_val_to_name[i]);
2385
cur_perms->data |= 1U << (perdatum->s.value - 1);
2388
cur_perms = cur_perms->next;
2394
ebitmap_destroy(&tclasses);
2396
avrule->perms = perms;
2404
static avrule_t *define_cond_te_avtab(int which)
2411
for (i = 0; i < 4; i++) {
2412
while ((id = queue_remove(id_queue)))
2415
return (avrule_t *) 1; /* any non-NULL value */
2418
if (define_te_avtab_helper(which, &avrule))
2424
static int define_te_avtab(int which)
2431
for (i = 0; i < 4; i++) {
2432
while ((id = queue_remove(id_queue)))
2438
if (define_te_avtab_helper(which, &avrule))
2441
/* append this avrule to the end of the current rules list */
2442
append_avrule(avrule);
2446
static int define_role_types(void)
2453
while ((id = queue_remove(id_queue)))
2458
if ((role = declare_role()) == NULL) {
2461
while ((id = queue_remove(id_queue))) {
2462
if (set_types(&role->types, id, &add, 0))
2469
static role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2)
2474
return (role_datum_t *) 1; /* any non-NULL value */
2477
new = malloc(sizeof(role_datum_t));
2479
yyerror("out of memory");
2482
memset(new, 0, sizeof(role_datum_t));
2483
new->s.value = 0; /* temporary role */
2484
if (ebitmap_or(&new->dominates, &r1->dominates, &r2->dominates)) {
2485
yyerror("out of memory");
2488
if (ebitmap_or(&new->types.types, &r1->types.types, &r2->types.types)) {
2489
yyerror("out of memory");
2493
/* free intermediate result */
2494
type_set_destroy(&r1->types);
2495
ebitmap_destroy(&r1->dominates);
2499
/* free intermediate result */
2500
yyerror("right hand role is temporary?");
2501
type_set_destroy(&r2->types);
2502
ebitmap_destroy(&r2->dominates);
2508
/* This function eliminates the ordering dependency of role dominance rule */
2509
static int dominate_role_recheck(hashtab_key_t key, hashtab_datum_t datum,
2512
role_datum_t *rdp = (role_datum_t *) arg;
2513
role_datum_t *rdatum = (role_datum_t *) datum;
2514
ebitmap_node_t *node;
2517
/* Don't bother to process against self role */
2518
if (rdatum->s.value == rdp->s.value)
2521
/* If a dominating role found */
2522
if (ebitmap_get_bit(&(rdatum->dominates), rdp->s.value - 1)) {
2524
ebitmap_init(&types);
2525
if (type_set_expand(&rdp->types, &types, policydbp, 1)) {
2526
ebitmap_destroy(&types);
2529
/* raise types and dominates from dominated role */
2530
ebitmap_for_each_bit(&rdp->dominates, node, i) {
2531
if (ebitmap_node_get_bit(node, i))
2533
(&rdatum->dominates, i, TRUE))
2536
ebitmap_for_each_bit(&types, node, i) {
2537
if (ebitmap_node_get_bit(node, i))
2539
(&rdatum->types.types, i, TRUE))
2542
ebitmap_destroy(&types);
2545
/* go through all the roles */
2548
yyerror("Out of memory");
2552
static role_datum_t *define_role_dom(role_datum_t * r)
2556
ebitmap_node_t *node;
2561
role_id = queue_remove(id_queue);
2563
return (role_datum_t *) 1; /* any non-NULL value */
2566
yywarn("Role dominance has been deprecated");
2568
role_id = queue_remove(id_queue);
2569
if (!is_id_in_scope(SYM_ROLES, role_id)) {
2570
yyerror2("role %s is not within scope", role_id);
2574
role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
2577
role = (role_datum_t *) malloc(sizeof(role_datum_t));
2579
yyerror("out of memory");
2583
memset(role, 0, sizeof(role_datum_t));
2585
declare_symbol(SYM_ROLES, (hashtab_key_t) role_id,
2586
(hashtab_datum_t) role, &role->s.value,
2590
yyerror("Out of memory!");
2594
yyerror2("duplicate declaration of role %s",
2599
yyerror("could not declare role here");
2607
assert(0); /* should never get here */
2610
if (ebitmap_set_bit(&role->dominates, role->s.value - 1, TRUE)) {
2611
yyerror("Out of memory!");
2617
ebitmap_init(&types);
2618
ebitmap_for_each_bit(&r->dominates, node, i) {
2619
if (ebitmap_node_get_bit(node, i))
2620
if (ebitmap_set_bit(&role->dominates, i, TRUE))
2623
if (type_set_expand(&r->types, &types, policydbp, 1)) {
2624
ebitmap_destroy(&types);
2627
ebitmap_for_each_bit(&types, node, i) {
2628
if (ebitmap_node_get_bit(node, i))
2630
(&role->types.types, i, TRUE))
2633
ebitmap_destroy(&types);
2635
/* free intermediate result */
2636
type_set_destroy(&r->types);
2637
ebitmap_destroy(&r->dominates);
2641
* Now go through all the roles and escalate this role's
2642
* dominates and types if a role dominates this role.
2644
hashtab_map(policydbp->p_roles.table,
2645
dominate_role_recheck, role);
2650
role_datum_destroy(role);
2654
yyerror("Out of memory");
2658
static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum,
2661
struct val_to_name *v = p;
2662
role_datum_t *roldatum;
2664
roldatum = (role_datum_t *) datum;
2666
if (v->val == roldatum->s.value) {
2674
static char *role_val_to_name(unsigned int val)
2676
struct val_to_name v;
2680
rc = hashtab_map(policydbp->p_roles.table, role_val_to_name_helper, &v);
2686
static int set_roles(role_set_t * set, char *id)
2690
if (strcmp(id, "*") == 0) {
2692
yyerror("* is not allowed for role sets");
2696
if (strcmp(id, "~") == 0) {
2698
yyerror("~ is not allowed for role sets");
2701
if (!is_id_in_scope(SYM_ROLES, id)) {
2702
yyerror2("role %s is not within scope", id);
2706
r = hashtab_search(policydbp->p_roles.table, id);
2708
yyerror2("unknown role %s", id);
2713
if (ebitmap_set_bit(&set->roles, r->s.value - 1, TRUE)) {
2714
yyerror("out of memory");
2722
static int define_role_trans(void)
2728
ebitmap_t e_types, e_roles;
2729
ebitmap_node_t *tnode, *rnode;
2730
struct role_trans *tr = NULL;
2731
struct role_trans_rule *rule = NULL;
2736
while ((id = queue_remove(id_queue)))
2738
while ((id = queue_remove(id_queue)))
2740
id = queue_remove(id_queue);
2745
role_set_init(&roles);
2746
ebitmap_init(&e_roles);
2747
type_set_init(&types);
2748
ebitmap_init(&e_types);
2750
while ((id = queue_remove(id_queue))) {
2751
if (set_roles(&roles, id))
2755
while ((id = queue_remove(id_queue))) {
2756
if (set_types(&types, id, &add, 0))
2760
id = (char *)queue_remove(id_queue);
2762
yyerror("no new role in transition definition?");
2765
if (!is_id_in_scope(SYM_ROLES, id)) {
2766
yyerror2("role %s is not within scope", id);
2770
role = hashtab_search(policydbp->p_roles.table, id);
2773
"unknown role %s used in transition definition", id);
2778
/* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
2779
if (role_set_expand(&roles, &e_roles, policydbp))
2782
if (type_set_expand(&types, &e_types, policydbp, 1))
2785
ebitmap_for_each_bit(&e_roles, rnode, i) {
2786
if (!ebitmap_node_get_bit(rnode, i))
2788
ebitmap_for_each_bit(&e_types, tnode, j) {
2789
if (!ebitmap_node_get_bit(tnode, j))
2792
for (tr = policydbp->role_tr; tr; tr = tr->next) {
2793
if (tr->role == (i + 1) && tr->type == (j + 1)) {
2795
"duplicate role transition for (%s,%s)",
2796
role_val_to_name(i + 1),
2798
p_type_val_to_name[j]);
2804
tr = malloc(sizeof(struct role_trans));
2806
yyerror("out of memory");
2809
memset(tr, 0, sizeof(struct role_trans));
2812
tr->new_role = role->s.value;
2813
tr->next = policydbp->role_tr;
2814
policydbp->role_tr = tr;
2817
/* Now add the real rule */
2818
rule = malloc(sizeof(struct role_trans_rule));
2820
yyerror("out of memory");
2823
memset(rule, 0, sizeof(struct role_trans_rule));
2824
rule->roles = roles;
2825
rule->types = types;
2826
rule->new_role = role->s.value;
2828
append_role_trans(rule);
2830
ebitmap_destroy(&e_roles);
2831
ebitmap_destroy(&e_types);
2839
static int define_role_allow(void)
2842
struct role_allow_rule *ra = 0;
2845
while ((id = queue_remove(id_queue)))
2847
while ((id = queue_remove(id_queue)))
2852
ra = malloc(sizeof(role_allow_rule_t));
2854
yyerror("out of memory");
2857
role_allow_rule_init(ra);
2859
while ((id = queue_remove(id_queue))) {
2860
if (set_roles(&ra->roles, id))
2864
while ((id = queue_remove(id_queue))) {
2865
if (set_roles(&ra->new_roles, id))
2869
append_role_allow(ra);
2873
static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr)
2875
constraint_expr_t *h = NULL, *l = NULL, *e, *newe;
2876
for (e = expr; e; e = e->next) {
2877
newe = malloc(sizeof(*newe));
2880
if (constraint_expr_init(newe) == -1) {
2889
newe->expr_type = e->expr_type;
2890
newe->attr = e->attr;
2892
if (newe->expr_type == CEXPR_NAMES) {
2893
if (newe->attr & CEXPR_TYPE) {
2895
(newe->type_names, e->type_names))
2898
if (ebitmap_cpy(&newe->names, &e->names))
2910
constraint_expr_destroy(l);
2915
static int define_constraint(constraint_expr_t * expr)
2917
struct constraint_node *node;
2919
class_datum_t *cladatum;
2920
perm_datum_t *perdatum;
2922
ebitmap_node_t *enode;
2923
constraint_expr_t *e;
2926
unsigned char useexpr = 1;
2929
while ((id = queue_remove(id_queue)))
2931
while ((id = queue_remove(id_queue)))
2937
for (e = expr; e; e = e->next) {
2938
switch (e->expr_type) {
2941
yyerror("illegal constraint expression");
2948
yyerror("illegal constraint expression");
2955
if (e->attr & CEXPR_XTARGET) {
2956
yyerror("illegal constraint expression");
2957
return -1; /* only for validatetrans rules */
2959
if (depth == (CEXPR_MAXDEPTH - 1)) {
2960
yyerror("constraint expression is too deep");
2966
yyerror("illegal constraint expression");
2971
yyerror("illegal constraint expression");
2975
ebitmap_init(&classmap);
2976
while ((id = queue_remove(id_queue))) {
2977
if (!is_id_in_scope(SYM_CLASSES, id)) {
2978
yyerror2("class %s is not within scope", id);
2983
(class_datum_t *) hashtab_search(policydbp->p_classes.table,
2984
(hashtab_key_t) id);
2986
sprintf(errormsg, "class %s is not defined", id);
2987
ebitmap_destroy(&classmap);
2992
if (ebitmap_set_bit(&classmap, cladatum->s.value - 1, TRUE)) {
2993
yyerror("out of memory");
2994
ebitmap_destroy(&classmap);
2998
node = malloc(sizeof(struct constraint_node));
3000
yyerror("out of memory");
3003
memset(node, 0, sizeof(constraint_node_t));
3008
node->expr = constraint_expr_clone(expr);
3011
yyerror("out of memory");
3014
node->permissions = 0;
3016
node->next = cladatum->constraints;
3017
cladatum->constraints = node;
3022
while ((id = queue_remove(id_queue))) {
3023
ebitmap_for_each_bit(&classmap, enode, i) {
3024
if (ebitmap_node_get_bit(enode, i)) {
3025
cladatum = policydbp->class_val_to_struct[i];
3026
node = cladatum->constraints;
3029
(perm_datum_t *) hashtab_search(cladatum->
3035
if (cladatum->comdatum) {
3038
hashtab_search(cladatum->
3047
"permission %s is not defined",
3051
ebitmap_destroy(&classmap);
3055
node->permissions |=
3056
(1 << (perdatum->s.value - 1));
3062
ebitmap_destroy(&classmap);
3067
static int define_validatetrans(constraint_expr_t * expr)
3069
struct constraint_node *node;
3071
class_datum_t *cladatum;
3073
constraint_expr_t *e;
3075
unsigned char useexpr = 1;
3078
while ((id = queue_remove(id_queue)))
3084
for (e = expr; e; e = e->next) {
3085
switch (e->expr_type) {
3088
yyerror("illegal validatetrans expression");
3095
yyerror("illegal validatetrans expression");
3102
if (depth == (CEXPR_MAXDEPTH - 1)) {
3103
yyerror("validatetrans expression is too deep");
3109
yyerror("illegal validatetrans expression");
3114
yyerror("illegal validatetrans expression");
3118
ebitmap_init(&classmap);
3119
while ((id = queue_remove(id_queue))) {
3120
if (!is_id_in_scope(SYM_CLASSES, id)) {
3121
yyerror2("class %s is not within scope", id);
3126
(class_datum_t *) hashtab_search(policydbp->p_classes.table,
3127
(hashtab_key_t) id);
3129
sprintf(errormsg, "class %s is not defined", id);
3130
ebitmap_destroy(&classmap);
3135
if (ebitmap_set_bit(&classmap, (cladatum->s.value - 1), TRUE)) {
3136
yyerror("out of memory");
3137
ebitmap_destroy(&classmap);
3142
node = malloc(sizeof(struct constraint_node));
3144
yyerror("out of memory");
3147
memset(node, 0, sizeof(constraint_node_t));
3152
node->expr = constraint_expr_clone(expr);
3154
node->permissions = 0;
3156
node->next = cladatum->validatetrans;
3157
cladatum->validatetrans = node;
3162
ebitmap_destroy(&classmap);
3168
define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
3170
struct constraint_expr *expr, *e1 = NULL, *e2;
3179
if (expr_type == CEXPR_NAMES) {
3180
while ((id = queue_remove(id_queue)))
3183
return 1; /* any non-NULL value */
3186
if ((expr = malloc(sizeof(*expr))) == NULL ||
3187
constraint_expr_init(expr) == -1) {
3188
yyerror("out of memory");
3192
expr->expr_type = expr_type;
3194
switch (expr_type) {
3197
e2 = (struct constraint_expr *)arg1;
3202
if (!e1 || e1->next) {
3203
yyerror("illegal constraint expression");
3204
constraint_expr_destroy(expr);
3212
e2 = (struct constraint_expr *)arg1;
3217
if (!e1 || e1->next) {
3218
yyerror("illegal constraint expression");
3219
constraint_expr_destroy(expr);
3222
e1->next = (struct constraint_expr *)arg2;
3225
e2 = (struct constraint_expr *)arg2;
3230
if (!e1 || e1->next) {
3231
yyerror("illegal constraint expression");
3232
constraint_expr_destroy(expr);
3240
return (uintptr_t) expr;
3245
ebitmap_init(&negset);
3246
while ((id = (char *)queue_remove(id_queue))) {
3247
if (expr->attr & CEXPR_USER) {
3248
if (!is_id_in_scope(SYM_USERS, id)) {
3249
yyerror2("user %s is not within scope",
3251
constraint_expr_destroy(expr);
3255
(user_datum_t *) hashtab_search(policydbp->
3261
sprintf(errormsg, "unknown user %s",
3264
constraint_expr_destroy(expr);
3267
val = user->s.value;
3268
} else if (expr->attr & CEXPR_ROLE) {
3269
if (!is_id_in_scope(SYM_ROLES, id)) {
3270
yyerror2("role %s is not within scope",
3272
constraint_expr_destroy(expr);
3276
(role_datum_t *) hashtab_search(policydbp->
3282
sprintf(errormsg, "unknown role %s",
3285
constraint_expr_destroy(expr);
3288
val = role->s.value;
3289
} else if (expr->attr & CEXPR_TYPE) {
3290
if (set_types(expr->type_names, id, &add, 0)) {
3291
constraint_expr_destroy(expr);
3296
yyerror("invalid constraint expression");
3297
constraint_expr_destroy(expr);
3300
if (ebitmap_set_bit(&expr->names, val - 1, TRUE)) {
3301
yyerror("out of memory");
3302
ebitmap_destroy(&expr->names);
3303
constraint_expr_destroy(expr);
3308
ebitmap_destroy(&negset);
3309
return (uintptr_t) expr;
3311
yyerror("invalid constraint expression");
3312
constraint_expr_destroy(expr);
3316
yyerror("invalid constraint expression");
3321
static int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
3325
cond_node_t cn, *cn_old;
3327
/* expression cannot be NULL */
3329
yyerror("illegal conditional expression");
3334
/* empty is fine, destroy expression and return */
3335
cond_expr_destroy(expr);
3341
expr = define_cond_expr(COND_NOT, expr, 0);
3343
yyerror("unable to invert");
3348
/* verify expression */
3350
for (e = expr; e; e = e->next) {
3351
switch (e->expr_type) {
3355
("illegal conditional expression; Bad NOT");
3366
("illegal conditional expression; Bad binary op");
3372
if (depth == (COND_EXPR_MAXDEPTH - 1)) {
3374
("conditional expression is like totally too deep");
3380
yyerror("illegal conditional expression");
3385
yyerror("illegal conditional expression");
3389
/* use tmp conditional node to partially build new node */
3390
memset(&cn, 0, sizeof(cn));
3393
cn.avfalse_list = f;
3395
/* normalize/precompute expression */
3396
if (cond_normalize_expr(policydbp, &cn) < 0) {
3397
yyerror("problem normalizing conditional expression");
3401
/* get the existing conditional node, or create a new one */
3402
cn_old = get_current_cond_list(&cn);
3407
append_cond_list(&cn);
3409
/* note that there is no check here for duplicate rules, nor
3410
* check that rule already exists in base -- that will be
3411
* handled during conditional expansion, in expand.c */
3413
cn.avtrue_list = NULL;
3414
cn.avfalse_list = NULL;
3415
cond_node_destroy(&cn);
3420
static cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
3422
struct cond_expr *expr, *e1 = NULL, *e2;
3423
cond_bool_datum_t *bool_var;
3426
/* expressions are handled in the second pass */
3428
if (expr_type == COND_BOOL) {
3429
while ((id = queue_remove(id_queue))) {
3433
return (cond_expr_t *) 1; /* any non-NULL value */
3436
/* create a new expression struct */
3437
expr = malloc(sizeof(struct cond_expr));
3439
yyerror("out of memory");
3442
memset(expr, 0, sizeof(cond_expr_t));
3443
expr->expr_type = expr_type;
3445
/* create the type asked for */
3446
switch (expr_type) {
3449
e2 = (struct cond_expr *)arg1;
3454
if (!e1 || e1->next) {
3455
yyerror("illegal conditional NOT expression");
3460
return (struct cond_expr *)arg1;
3467
e2 = (struct cond_expr *)arg1;
3472
if (!e1 || e1->next) {
3474
("illegal left side of conditional binary op expression");
3478
e1->next = (struct cond_expr *)arg2;
3481
e2 = (struct cond_expr *)arg2;
3486
if (!e1 || e1->next) {
3488
("illegal right side of conditional binary op expression");
3493
return (struct cond_expr *)arg1;
3495
id = (char *)queue_remove(id_queue);
3497
yyerror("bad conditional; expected boolean id");
3502
if (!is_id_in_scope(SYM_BOOLS, id)) {
3503
yyerror2("boolean %s is not within scope", id);
3509
(cond_bool_datum_t *) hashtab_search(policydbp->p_bools.
3511
(hashtab_key_t) id);
3514
"unknown boolean %s in conditional expression",
3521
expr->bool = bool_var->s.value;
3525
yyerror("illegal conditional expression");
3530
static int set_user_roles(role_set_t * set, char *id)
3534
ebitmap_node_t *node;
3536
if (strcmp(id, "*") == 0) {
3538
yyerror("* is not allowed in user declarations");
3542
if (strcmp(id, "~") == 0) {
3544
yyerror("~ is not allowed in user declarations");
3548
if (!is_id_in_scope(SYM_ROLES, id)) {
3549
yyerror2("role %s is not within scope", id);
3553
r = hashtab_search(policydbp->p_roles.table, id);
3555
sprintf(errormsg, "unknown role %s", id);
3561
/* set the role and every role it dominates */
3562
ebitmap_for_each_bit(&r->dominates, node, i) {
3563
if (ebitmap_node_get_bit(node, i))
3564
if (ebitmap_set_bit(&set->roles, i, TRUE))
3570
yyerror("out of memory");
3575
parse_categories(char *id, level_datum_t * levdatum, ebitmap_t * cats)
3577
cat_datum_t *cdatum;
3578
int range_start, range_end, i;
3580
if (id_has_dot(id)) {
3581
char *id_start = id;
3582
char *id_end = strchr(id, '.');
3586
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3590
sprintf(errormsg, "unknown category %s", id_start);
3594
range_start = cdatum->s.value - 1;
3595
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3596
(hashtab_key_t) id_end);
3598
sprintf(errormsg, "unknown category %s", id_end);
3602
range_end = cdatum->s.value - 1;
3604
if (range_end < range_start) {
3605
sprintf(errormsg, "category range is invalid");
3610
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3611
(hashtab_key_t) id);
3613
sprintf(errormsg, "unknown category %s", id);
3617
range_start = range_end = cdatum->s.value - 1;
3620
for (i = range_start; i <= range_end; i++) {
3621
if (!ebitmap_get_bit(&levdatum->level->cat, i)) {
3622
uint32_t level_value = levdatum->level->sens - 1;
3623
policydb_index_others(NULL, policydbp, 0);
3624
sprintf(errormsg, "category %s can not be associated "
3626
policydbp->p_cat_val_to_name[i],
3627
policydbp->p_sens_val_to_name[level_value]);
3631
if (ebitmap_set_bit(cats, i, TRUE)) {
3632
yyerror("out of memory");
3641
parse_semantic_categories(char *id, level_datum_t * levdatum,
3642
mls_semantic_cat_t ** cats)
3644
cat_datum_t *cdatum;
3645
mls_semantic_cat_t *newcat;
3646
unsigned int range_start, range_end;
3648
if (id_has_dot(id)) {
3649
char *id_start = id;
3650
char *id_end = strchr(id, '.');
3654
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3658
sprintf(errormsg, "unknown category %s", id_start);
3662
range_start = cdatum->s.value;
3664
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3665
(hashtab_key_t) id_end);
3667
sprintf(errormsg, "unknown category %s", id_end);
3671
range_end = cdatum->s.value;
3673
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3674
(hashtab_key_t) id);
3676
sprintf(errormsg, "unknown category %s", id);
3680
range_start = range_end = cdatum->s.value;
3683
newcat = (mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t));
3685
yyerror("out of memory");
3689
mls_semantic_cat_init(newcat);
3690
newcat->next = *cats;
3691
newcat->low = range_start;
3692
newcat->high = range_end;
3699
static int define_user(void)
3702
user_datum_t *usrdatum;
3703
level_datum_t *levdatum;
3707
while ((id = queue_remove(id_queue)))
3710
while ((id = queue_remove(id_queue)))
3712
id = queue_remove(id_queue);
3714
for (l = 0; l < 2; l++) {
3715
while ((id = queue_remove(id_queue))) {
3718
id = queue_remove(id_queue);
3727
if ((usrdatum = declare_user()) == NULL) {
3731
while ((id = queue_remove(id_queue))) {
3732
if (set_user_roles(&usrdatum->roles, id))
3737
id = queue_remove(id_queue);
3739
yyerror("no default level specified for user");
3743
levdatum = (level_datum_t *)
3744
hashtab_search(policydbp->p_levels.table,
3745
(hashtab_key_t) id);
3747
sprintf(errormsg, "unknown sensitivity %s used in user"
3748
" level definition", id);
3755
usrdatum->dfltlevel.sens = levdatum->level->sens;
3757
while ((id = queue_remove(id_queue))) {
3758
if (parse_semantic_categories(id, levdatum,
3759
&usrdatum->dfltlevel.cat)) {
3766
id = queue_remove(id_queue);
3768
for (l = 0; l < 2; l++) {
3769
levdatum = (level_datum_t *)
3770
hashtab_search(policydbp->p_levels.table,
3771
(hashtab_key_t) id);
3774
"unknown sensitivity %s used in user range definition",
3782
usrdatum->range.level[l].sens = levdatum->level->sens;
3784
while ((id = queue_remove(id_queue))) {
3785
if (parse_semantic_categories(id, levdatum,
3786
&usrdatum->range.level[l].cat)) {
3793
id = queue_remove(id_queue);
3799
if (mls_semantic_level_cpy(&usrdatum->range.level[1],
3800
&usrdatum->range.level[0])) {
3801
yyerror("out of memory");
3809
static int parse_security_context(context_struct_t * c)
3813
type_datum_t *typdatum;
3814
user_datum_t *usrdatum;
3815
level_datum_t *levdatum;
3819
id = queue_remove(id_queue);
3820
free(id); /* user */
3821
id = queue_remove(id_queue);
3822
free(id); /* role */
3823
id = queue_remove(id_queue);
3824
free(id); /* type */
3826
id = queue_remove(id_queue);
3828
for (l = 0; l < 2; l++) {
3829
while ((id = queue_remove(id_queue))) {
3832
id = queue_remove(id_queue);
3843
/* extract the user */
3844
id = queue_remove(id_queue);
3846
yyerror("no effective user?");
3849
if (!is_id_in_scope(SYM_USERS, id)) {
3850
yyerror2("user %s is not within scope", id);
3854
usrdatum = (user_datum_t *) hashtab_search(policydbp->p_users.table,
3855
(hashtab_key_t) id);
3857
sprintf(errormsg, "user %s is not defined", id);
3862
c->user = usrdatum->s.value;
3864
/* no need to keep the user name */
3867
/* extract the role */
3868
id = (char *)queue_remove(id_queue);
3870
yyerror("no role name for sid context definition?");
3873
if (!is_id_in_scope(SYM_ROLES, id)) {
3874
yyerror2("role %s is not within scope", id);
3878
role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
3879
(hashtab_key_t) id);
3881
sprintf(errormsg, "role %s is not defined", id);
3886
c->role = role->s.value;
3888
/* no need to keep the role name */
3891
/* extract the type */
3892
id = (char *)queue_remove(id_queue);
3894
yyerror("no type name for sid context definition?");
3897
if (!is_id_in_scope(SYM_TYPES, id)) {
3898
yyerror2("type %s is not within scope", id);
3902
typdatum = (type_datum_t *) hashtab_search(policydbp->p_types.table,
3903
(hashtab_key_t) id);
3904
if (!typdatum || typdatum->flavor == TYPE_ATTRIB) {
3905
sprintf(errormsg, "type %s is not defined or is an attribute",
3911
c->type = typdatum->s.value;
3913
/* no need to keep the type name */
3917
/* extract the low sensitivity */
3918
id = (char *)queue_head(id_queue);
3920
yyerror("no sensitivity name for sid context"
3925
id = (char *)queue_remove(id_queue);
3926
for (l = 0; l < 2; l++) {
3927
levdatum = (level_datum_t *)
3928
hashtab_search(policydbp->p_levels.table,
3929
(hashtab_key_t) id);
3931
sprintf(errormsg, "Sensitivity %s is not "
3938
c->range.level[l].sens = levdatum->level->sens;
3940
/* extract low category set */
3941
while ((id = queue_remove(id_queue))) {
3942
if (parse_categories(id, levdatum,
3943
&c->range.level[l].cat)) {
3950
/* extract high sensitivity */
3951
id = (char *)queue_remove(id_queue);
3957
c->range.level[1].sens = c->range.level[0].sens;
3958
if (ebitmap_cpy(&c->range.level[1].cat,
3959
&c->range.level[0].cat)) {
3961
yyerror("out of memory");
3967
if (!policydb_context_isvalid(policydbp, c)) {
3968
yyerror("invalid security context");
3979
static int define_initial_sid_context(void)
3982
ocontext_t *c, *head;
3985
id = (char *)queue_remove(id_queue);
3987
parse_security_context(NULL);
3991
id = (char *)queue_remove(id_queue);
3993
yyerror("no sid name for SID context definition?");
3996
head = policydbp->ocontexts[OCON_ISID];
3997
for (c = head; c; c = c->next) {
3998
if (!strcmp(id, c->u.name))
4003
sprintf(errormsg, "SID %s is not defined", id);
4008
if (c->context[0].user) {
4009
sprintf(errormsg, "The context for SID %s is multiply defined",
4015
/* no need to keep the sid name */
4018
if (parse_security_context(&c->context[0]))
4024
static int define_fs_context(unsigned int major, unsigned int minor)
4026
ocontext_t *newc, *c, *head;
4029
parse_security_context(NULL);
4030
parse_security_context(NULL);
4034
newc = (ocontext_t *) malloc(sizeof(ocontext_t));
4036
yyerror("out of memory");
4039
memset(newc, 0, sizeof(ocontext_t));
4041
newc->u.name = (char *)malloc(6);
4042
if (!newc->u.name) {
4043
yyerror("out of memory");
4047
sprintf(newc->u.name, "%02x:%02x", major, minor);
4049
if (parse_security_context(&newc->context[0])) {
4054
if (parse_security_context(&newc->context[1])) {
4055
context_destroy(&newc->context[0]);
4060
head = policydbp->ocontexts[OCON_FS];
4062
for (c = head; c; c = c->next) {
4063
if (!strcmp(newc->u.name, c->u.name)) {
4064
sprintf(errormsg, "duplicate entry for file system %s",
4067
context_destroy(&newc->context[0]);
4068
context_destroy(&newc->context[1]);
4076
policydbp->ocontexts[OCON_FS] = newc;
4081
static int define_port_context(unsigned int low, unsigned int high)
4083
ocontext_t *newc, *c, *l, *head;
4084
unsigned int protocol;
4088
id = (char *)queue_remove(id_queue);
4090
parse_security_context(NULL);
4094
newc = malloc(sizeof(ocontext_t));
4096
yyerror("out of memory");
4099
memset(newc, 0, sizeof(ocontext_t));
4101
id = (char *)queue_remove(id_queue);
4106
if ((strcmp(id, "tcp") == 0) || (strcmp(id, "TCP") == 0)) {
4107
protocol = IPPROTO_TCP;
4108
} else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) {
4109
protocol = IPPROTO_UDP;
4111
sprintf(errormsg, "unrecognized protocol %s", id);
4117
newc->u.port.protocol = protocol;
4118
newc->u.port.low_port = low;
4119
newc->u.port.high_port = high;
4122
sprintf(errormsg, "low port %d exceeds high port %d", low,
4129
if (parse_security_context(&newc->context[0])) {
4134
/* Preserve the matching order specified in the configuration. */
4135
head = policydbp->ocontexts[OCON_PORT];
4136
for (l = NULL, c = head; c; l = c, c = c->next) {
4137
unsigned int prot2, low2, high2;
4139
prot2 = c->u.port.protocol;
4140
low2 = c->u.port.low_port;
4141
high2 = c->u.port.high_port;
4142
if (protocol != prot2)
4144
if (low == low2 && high == high2) {
4146
"duplicate portcon entry for %s %d-%d ", id,
4150
if (low2 <= low && high2 >= high) {
4152
"portcon entry for %s %d-%d hidden by earlier entry for %d-%d",
4153
id, low, high, low2, high2);
4161
policydbp->ocontexts[OCON_PORT] = newc;
4171
static int define_netif_context(void)
4173
ocontext_t *newc, *c, *head;
4176
free(queue_remove(id_queue));
4177
parse_security_context(NULL);
4178
parse_security_context(NULL);
4182
newc = (ocontext_t *) malloc(sizeof(ocontext_t));
4184
yyerror("out of memory");
4187
memset(newc, 0, sizeof(ocontext_t));
4189
newc->u.name = (char *)queue_remove(id_queue);
4190
if (!newc->u.name) {
4194
if (parse_security_context(&newc->context[0])) {
4199
if (parse_security_context(&newc->context[1])) {
4200
context_destroy(&newc->context[0]);
4205
head = policydbp->ocontexts[OCON_NETIF];
4207
for (c = head; c; c = c->next) {
4208
if (!strcmp(newc->u.name, c->u.name)) {
4210
"duplicate entry for network interface %s",
4213
context_destroy(&newc->context[0]);
4214
context_destroy(&newc->context[1]);
4222
policydbp->ocontexts[OCON_NETIF] = newc;
4226
static int define_ipv4_node_context()
4230
struct in_addr addr, mask;
4231
ocontext_t *newc, *c, *l, *head;
4234
free(queue_remove(id_queue));
4235
free(queue_remove(id_queue));
4236
parse_security_context(NULL);
4240
id = queue_remove(id_queue);
4242
yyerror("failed to read ipv4 address");
4247
rc = inet_pton(AF_INET, id, &addr);
4250
yyerror("failed to parse ipv4 address");
4256
id = queue_remove(id_queue);
4258
yyerror("failed to read ipv4 address");
4263
rc = inet_pton(AF_INET, id, &mask);
4266
yyerror("failed to parse ipv4 mask");
4272
newc = malloc(sizeof(ocontext_t));
4274
yyerror("out of memory");
4279
memset(newc, 0, sizeof(ocontext_t));
4280
newc->u.node.addr = addr.s_addr;
4281
newc->u.node.mask = mask.s_addr;
4283
if (parse_security_context(&newc->context[0])) {
4288
/* Create order of most specific to least retaining
4289
the order specified in the configuration. */
4290
head = policydbp->ocontexts[OCON_NODE];
4291
for (l = NULL, c = head; c; l = c, c = c->next) {
4292
if (newc->u.node.mask > c->u.node.mask)
4301
policydbp->ocontexts[OCON_NODE] = newc;
4307
static int define_ipv6_node_context(void)
4311
struct in6_addr addr, mask;
4312
ocontext_t *newc, *c, *l, *head;
4315
free(queue_remove(id_queue));
4316
free(queue_remove(id_queue));
4317
parse_security_context(NULL);
4321
id = queue_remove(id_queue);
4323
yyerror("failed to read ipv6 address");
4328
rc = inet_pton(AF_INET6, id, &addr);
4331
yyerror("failed to parse ipv6 address");
4337
id = queue_remove(id_queue);
4339
yyerror("failed to read ipv6 address");
4344
rc = inet_pton(AF_INET6, id, &mask);
4347
yyerror("failed to parse ipv6 mask");
4353
newc = malloc(sizeof(ocontext_t));
4355
yyerror("out of memory");
4360
memset(newc, 0, sizeof(ocontext_t));
4361
memcpy(&newc->u.node6.addr[0], &addr.s6_addr32[0], 16);
4362
memcpy(&newc->u.node6.mask[0], &mask.s6_addr32[0], 16);
4364
if (parse_security_context(&newc->context[0])) {
4370
/* Create order of most specific to least retaining
4371
the order specified in the configuration. */
4372
head = policydbp->ocontexts[OCON_NODE6];
4373
for (l = NULL, c = head; c; l = c, c = c->next) {
4374
if (memcmp(&newc->u.node6.mask, &c->u.node6.mask, 16) > 0)
4383
policydbp->ocontexts[OCON_NODE6] = newc;
4390
static int define_fs_use(int behavior)
4392
ocontext_t *newc, *c, *head;
4395
free(queue_remove(id_queue));
4396
parse_security_context(NULL);
4400
newc = (ocontext_t *) malloc(sizeof(ocontext_t));
4402
yyerror("out of memory");
4405
memset(newc, 0, sizeof(ocontext_t));
4407
newc->u.name = (char *)queue_remove(id_queue);
4408
if (!newc->u.name) {
4412
newc->v.behavior = behavior;
4413
if (parse_security_context(&newc->context[0])) {
4419
head = policydbp->ocontexts[OCON_FSUSE];
4421
for (c = head; c; c = c->next) {
4422
if (!strcmp(newc->u.name, c->u.name)) {
4424
"duplicate fs_use entry for filesystem type %s",
4427
context_destroy(&newc->context[0]);
4435
policydbp->ocontexts[OCON_FSUSE] = newc;
4439
static int define_genfs_context_helper(char *fstype, int has_type)
4441
struct genfs *genfs_p, *genfs, *newgenfs;
4442
ocontext_t *newc, *c, *head, *p;
4448
free(queue_remove(id_queue));
4450
free(queue_remove(id_queue));
4451
parse_security_context(NULL);
4455
for (genfs_p = NULL, genfs = policydbp->genfs;
4456
genfs; genfs_p = genfs, genfs = genfs->next) {
4457
if (strcmp(fstype, genfs->fstype) <= 0)
4461
if (!genfs || strcmp(fstype, genfs->fstype)) {
4462
newgenfs = malloc(sizeof(struct genfs));
4464
yyerror("out of memory");
4467
memset(newgenfs, 0, sizeof(struct genfs));
4468
newgenfs->fstype = fstype;
4469
newgenfs->next = genfs;
4471
genfs_p->next = newgenfs;
4473
policydbp->genfs = newgenfs;
4477
newc = (ocontext_t *) malloc(sizeof(ocontext_t));
4479
yyerror("out of memory");
4482
memset(newc, 0, sizeof(ocontext_t));
4484
newc->u.name = (char *)queue_remove(id_queue);
4488
type = (char *)queue_remove(id_queue);
4492
sprintf(errormsg, "invalid type %s", type);
4498
newc->v.sclass = SECCLASS_BLK_FILE;
4501
newc->v.sclass = SECCLASS_CHR_FILE;
4504
newc->v.sclass = SECCLASS_DIR;
4507
newc->v.sclass = SECCLASS_FIFO_FILE;
4510
newc->v.sclass = SECCLASS_LNK_FILE;
4513
newc->v.sclass = SECCLASS_SOCK_FILE;
4516
newc->v.sclass = SECCLASS_FILE;
4519
sprintf(errormsg, "invalid type %s", type);
4524
if (parse_security_context(&newc->context[0]))
4529
for (p = NULL, c = head; c; p = c, c = c->next) {
4530
if (!strcmp(newc->u.name, c->u.name) &&
4531
(!newc->v.sclass || !c->v.sclass
4532
|| newc->v.sclass == c->v.sclass)) {
4534
"duplicate entry for genfs entry (%s, %s)",
4535
fstype, newc->u.name);
4539
len = strlen(newc->u.name);
4540
len2 = strlen(c->u.name);
4554
context_destroy(&newc->context[0]);
4563
static int define_genfs_context(int has_type)
4565
return define_genfs_context_helper(queue_remove(id_queue), has_type);
4568
static int define_range_trans(int class_specified)
4571
level_datum_t *levdatum = 0;
4572
class_datum_t *cladatum;
4573
range_trans_rule_t *rule;
4577
yyerror("range_transition rule in non-MLS configuration");
4582
while ((id = queue_remove(id_queue)))
4584
while ((id = queue_remove(id_queue)))
4586
if (class_specified)
4587
while ((id = queue_remove(id_queue)))
4589
id = queue_remove(id_queue);
4591
for (l = 0; l < 2; l++) {
4592
while ((id = queue_remove(id_queue))) {
4595
id = queue_remove(id_queue);
4603
rule = malloc(sizeof(struct range_trans_rule));
4605
yyerror("out of memory");
4608
range_trans_rule_init(rule);
4610
while ((id = queue_remove(id_queue))) {
4611
if (set_types(&rule->stypes, id, &add, 0))
4615
while ((id = queue_remove(id_queue))) {
4616
if (set_types(&rule->ttypes, id, &add, 0))
4620
if (class_specified) {
4621
while ((id = queue_remove(id_queue))) {
4622
if (!is_id_in_scope(SYM_CLASSES, id)) {
4623
yyerror2("class %s is not within scope", id);
4627
cladatum = hashtab_search(policydbp->p_classes.table,
4630
sprintf(errormsg, "unknown class %s", id);
4635
ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1,
4640
cladatum = hashtab_search(policydbp->p_classes.table,
4643
sprintf(errormsg, "could not find process class for "
4644
"legacy range_transition statement\n");
4649
ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE);
4652
id = (char *)queue_remove(id_queue);
4654
yyerror("no range in range_transition definition?");
4657
for (l = 0; l < 2; l++) {
4658
levdatum = hashtab_search(policydbp->p_levels.table, id);
4661
"unknown level %s used in range_transition "
4669
rule->trange.level[l].sens = levdatum->level->sens;
4671
while ((id = queue_remove(id_queue))) {
4672
if (parse_semantic_categories(id, levdatum,
4673
&rule->trange.level[l].cat)) {
4680
id = (char *)queue_remove(id_queue);
4685
if (mls_semantic_level_cpy(&rule->trange.level[1],
4686
&rule->trange.level[0])) {
4687
yyerror("out of memory");
4692
append_range_trans(rule);
4696
range_trans_rule_destroy(rule);