On Wed, 2007-10-31 at 15:43 -0400, James Carter wrote: > This is a patch to remove the use of REJECT and trailing context in the > lex rules. To help accomplish this, it also makes ipv4 address > processing like ipv6 address processing. > > It improves policy compile times on my laptop from ~95sec to ~85sec. > > REJECT was used to reject an identifier if it had two consecutive "."s > or one at the end. The new rule should prevent both of these conditions > without the use of REJECT and the is_valid_identifier function. > > Trailing context was used in the rule to identify the module version. > Without the trailing context, the rule would match ipv4 addresses. A > rule for ipv4 addresses was added to eliminate the need for the use of > trailing context and to allow ipv4 addresses to be handled in a manner > similar to ipv6 addresses. > > Finally, the alnum character class was defined and some minor cleanup > was done. > > I am, by the way, surprised by the rule to match the module version. > It is "[0-9]+(\.[A-Za-z0-9_.]*)?" when I would have expected something > like "[0-9]+(\.[0-9]+){0,2}". I assumed that there is a reason why it > is like this and left it alone. > > > Signed off by: James Carter <jwcart2@xxxxxxxxxxxxx> Thanks, merged. > --- > > policy_parse.y | 79 > ++++++++++++++++++++++++++++++++++++++------------------- > policy_scan.l | 34 +++++------------------- > 2 files changed, 62 insertions(+), 51 deletions(-) > > > Index: checkpolicy/policy_scan.l > =================================================================== > --- checkpolicy/policy_scan.l (revision 2662) > +++ checkpolicy/policy_scan.l (working copy) > @@ -31,7 +31,6 @@ > static char linebuf[2][255]; > static unsigned int lno = 0; > int yywarn(char *msg); > -static int is_valid_identifier(char *id); > > char source_file[255]; > unsigned long source_lineno = 1; > @@ -46,8 +45,8 @@ > %array > letter [A-Za-z] > digit [0-9] > +alnum [a-zA-Z0-9] > hexval [0-9A-Fa-f] > -version [0-9]+(\.[A-Za-z0-9_.]*)? > > %% > \n.* { strncpy(linebuf[lno], yytext+1, 255); > @@ -199,17 +198,14 @@ > H1 { return(H1); } > h2 | > H2 { return(H2); } > -"/"({letter}|{digit}|_|"."|"-"|"/")* { return(PATH); } > -{letter}({letter}|{digit}|_|"."|"-")* { if (is_valid_identifier(yytext)) > - return(IDENTIFIER); > - else > - REJECT; > - } > -{digit}{digit}* { return(NUMBER); } > -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":"|".")* { return(IPV6_ADDR); } > -{version}/([ \t\f]*;) { return(VERSION_IDENTIFIER); } > +"/"({alnum}|[_.-/])* { return(PATH); } > +{letter}({alnum}|[_-])*([.]?({alnum}|[_-]))* { return(IDENTIFIER); } > +{digit}+ { return(NUMBER); } > +{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } > +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } > +{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } > #line[ ]1[ ]\"[^\n]*\" { source_lineno = 1; strncpy(source_file, yytext+9, 255); source_file[strlen(source_file)-1] = '\0'; } > -#line[ ]{digit}{digit}* { source_lineno = atoi(yytext+6)-1; } > +#line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; } > #[^\n]* { /* delete comments */ } > [ \t\f]+ { /* delete whitespace */ } > "==" { return(EQUALS); } > @@ -263,17 +259,3 @@ > linebuf[0], linebuf[1]); > return 0; > } > - > -static int is_valid_identifier(char *id) { > - if ((strrchr(id, '.')) != NULL) { > - if (strstr(id, "..") != NULL) { > - /* identifier has consecutive '.' */ > - return 0; > - } > - if (id[strlen(id) - 1] == '.') { > - /* identifier ends in '.' */ > - return 0; > - } > - } > - return 1; > -} > Index: checkpolicy/policy_parse.y > =================================================================== > --- checkpolicy/policy_parse.y (revision 2662) > +++ checkpolicy/policy_parse.y (working copy) > @@ -122,7 +122,7 @@ > static int define_fs_context(unsigned int major, unsigned int minor); > static int define_port_context(unsigned int low, unsigned int high); > static int define_netif_context(void); > -static int define_ipv4_node_context(unsigned int addr, unsigned int mask); > +static int define_ipv4_node_context(void); > static int define_ipv6_node_context(void); > > typedef int (* require_func_t)(); > @@ -195,6 +195,7 @@ > %token NUMBER > %token EQUALS > %token NOTEQUAL > +%token IPV4_ADDR > %token IPV6_ADDR > %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL > > @@ -654,7 +655,7 @@ > | node_contexts node_context_def > ; > node_context_def : NODECON ipv4_addr_def ipv4_addr_def security_context_def > - {if (define_ipv4_node_context($2,$3)) return -1;} > + {if (define_ipv4_node_context()) return -1;} > | NODECON ipv6_addr ipv6_addr security_context_def > {if (define_ipv6_node_context()) return -1;} > ; > @@ -684,18 +685,9 @@ > | GENFSCON identifier path security_context_def > {if (define_genfs_context(0)) return -1;} > ; > -ipv4_addr_def : number '.' number '.' number '.' number > - { > - unsigned int addr; > - unsigned char *p = ((unsigned char *)&addr); > - > - p[0] = $1 & 0xff; > - p[1] = $3 & 0xff; > - p[2] = $5 & 0xff; > - p[3] = $7 & 0xff; > - $$ = addr; > - } > - ; > +ipv4_addr_def : IPV4_ADDR > + { if (insert_id(yytext,0)) return -1; } > + ; > security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def > ; > opt_mls_range_def : ':' mls_range_def > @@ -4184,27 +4176,63 @@ > return 0; > } > > -static int define_ipv4_node_context(unsigned int addr, unsigned int mask) > -{ > +static int define_ipv4_node_context() > +{ > + char *id; > + int rc = 0; > + struct in_addr addr, mask; > ocontext_t *newc, *c, *l, *head; > > if (pass == 1) { > + free(queue_remove(id_queue)); > + free(queue_remove(id_queue)); > parse_security_context(NULL); > - if (mlspol) > - free(queue_remove(id_queue)); > - return 0; > + goto out; > } > > + id = queue_remove(id_queue); > + if (!id) { > + yyerror("failed to read ipv4 address"); > + rc = -1; > + goto out; > + } > + > + rc = inet_pton(AF_INET, id, &addr); > + free(id); > + if (rc < 1) { > + yyerror("failed to parse ipv4 address"); > + if (rc == 0) > + rc = -1; > + goto out; > + } > + > + id = queue_remove(id_queue); > + if (!id) { > + yyerror("failed to read ipv4 address"); > + rc = -1; > + goto out; > + } > + > + rc = inet_pton(AF_INET, id, &mask); > + free(id); > + if (rc < 1) { > + yyerror("failed to parse ipv4 mask"); > + if (rc == 0) > + rc = -1; > + goto out; > + } > + > newc = malloc(sizeof(ocontext_t)); > if (!newc) { > yyerror("out of memory"); > - return -1; > + rc = -1; > + goto out; > } > + > memset(newc, 0, sizeof(ocontext_t)); > + newc->u.node.addr = addr.s_addr; > + newc->u.node.mask = mask.s_addr; > > - newc->u.node.addr = addr; > - newc->u.node.mask = mask; > - > if (parse_security_context(&newc->context[0])) { > free(newc); > return -1; > @@ -4224,8 +4252,9 @@ > l->next = newc; > else > policydbp->ocontexts[OCON_NODE] = newc; > - > - return 0; > + rc = 0; > +out: > + return rc; > } > > static int define_ipv6_node_context(void) > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.