47
47
#include <sepol/policydb/conditional.h>
48
48
#include <sepol/policydb/flask.h>
49
49
#include <sepol/policydb/hierarchy.h>
50
#include <sepol/policydb/polcaps.h>
51
52
#include "checkpolicy.h"
52
53
#include "module_compiler.h"
121
123
static int define_fs_context(unsigned int major, unsigned int minor);
122
124
static int define_port_context(unsigned int low, unsigned int high);
123
125
static int define_netif_context(void);
124
static int define_ipv4_node_context(unsigned int addr, unsigned int mask);
126
static int define_ipv4_node_context(void);
125
127
static int define_ipv6_node_context(void);
128
static int define_polcap(void);
127
130
typedef int (* require_func_t)();
653
659
| node_contexts node_context_def
655
661
node_context_def : NODECON ipv4_addr_def ipv4_addr_def security_context_def
656
{if (define_ipv4_node_context($2,$3)) return -1;}
662
{if (define_ipv4_node_context()) return -1;}
657
663
| NODECON ipv6_addr ipv6_addr security_context_def
658
664
{if (define_ipv6_node_context()) return -1;}
683
689
| GENFSCON identifier path security_context_def
684
690
{if (define_genfs_context(0)) return -1;}
686
ipv4_addr_def : number '.' number '.' number '.' number
689
unsigned char *p = ((unsigned char *)&addr);
692
ipv4_addr_def : IPV4_ADDR
693
{ if (insert_id(yytext,0)) return -1; }
698
695
security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def
700
697
opt_mls_range_def : ':' mls_range_def
772
769
ipv6_addr : IPV6_ADDR
773
770
{ if (insert_id(yytext,0)) return -1; }
772
policycap_def : POLICYCAP identifier ';'
773
{if (define_polcap()) return -1;}
776
776
/*********** module grammar below ***********/
972
static int define_polcap(void)
978
id = queue_remove(id_queue);
983
id = (char *)queue_remove(id_queue);
985
yyerror("no capability name for policycap definition?");
989
/* Check for valid cap name -> number mapping */
990
capnum = sepol_polcap_getnum(id);
992
yyerror2("invalid policy capability name %s", id);
997
if (ebitmap_set_bit(&policydbp->policycaps, capnum, TRUE)) {
998
yyerror("out of memory");
972
1010
static int define_initial_sid(void)
2525
2563
return (role_datum_t *) 1; /* any non-NULL value */
2566
yywarn("Role dominance has been deprecated");
2528
2568
role_id = queue_remove(id_queue);
2529
2569
if (!is_id_in_scope(SYM_ROLES, role_id)) {
2530
2570
yyerror2("role %s is not within scope", role_id);
4186
static int define_ipv4_node_context(unsigned int addr, unsigned int mask)
4226
static int define_ipv4_node_context()
4230
struct in_addr addr, mask;
4188
4231
ocontext_t *newc, *c, *l, *head;
4190
4233
if (pass == 1) {
4234
free(queue_remove(id_queue));
4235
free(queue_remove(id_queue));
4191
4236
parse_security_context(NULL);
4193
free(queue_remove(id_queue));
4240
id = queue_remove(id_queue);
4242
yyerror("failed to read ipv4 address");
4247
rc = inet_pton(AF_INET, id, &addr);
4250
yyerror("failed to parse ipv4 address");
4256
id = queue_remove(id_queue);
4258
yyerror("failed to read ipv4 address");
4263
rc = inet_pton(AF_INET, id, &mask);
4266
yyerror("failed to parse ipv4 mask");
4197
4272
newc = malloc(sizeof(ocontext_t));
4199
4274
yyerror("out of memory");
4202
4279
memset(newc, 0, sizeof(ocontext_t));
4204
newc->u.node.addr = addr;
4205
newc->u.node.mask = mask;
4280
newc->u.node.addr = addr.s_addr;
4281
newc->u.node.mask = mask.s_addr;
4207
4283
if (parse_security_context(&newc->context[0])) {