[PATCH 01/96] checkpolicy: Redo filename/filesystem syntax to

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Thu, 11 Aug 2011 10:09:51 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This patch looks good to me. acked.

It is working fine with building the latest SELinux policy for Fedora.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5D4q8ACgkQrlYvE4MpobOaJQCfRVfVQFOA/8m0LyK4TX0v9oYx
7EoAoNVGJLef3kRCSe8gdAXlDxtUxDUs
=dvbz
-----END PGP SIGNATURE-----
>From 42d4446d67487f0b07213beaa661d20fc8b6e3f4 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@xxxxxxxxxx>
Date: Tue, 12 Apr 2011 09:54:46 -0400
Subject: [PATCH 01/96] checkpolicy: Redo filename/filesystem syntax to
 support filename trans rules

In order to support filenames, which might start with "." or filesystems
that start with a number we need to rework the matching rules a little
bit.  Since the new filename rule is so permissive it must be moved to
the bottom of the matching list to not cover other definitions.

Signed-of-by: Eric Paris <eparis@xxxxxxxxxx>
---
 checkpolicy/policy_parse.y |   28 +++++++++++++++-------------
 checkpolicy/policy_scan.l  |    7 +++++--
 2 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index 6567369..f6cc6ae 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -386,7 +386,6 @@ cond_dontaudit_def	: DONTAUDIT names names ':' names names ';'
 			{ $$ = define_cond_te_avtab(AVRULE_DONTAUDIT);
                           if ($$ == COND_ERR) return -1; }
 		        ;
-			;
 transition_def		: TYPE_TRANSITION  names names ':' names identifier filename ';'
 			{if (define_filename_trans()) return -1; }
 			| TYPE_TRANSITION names names ':' names identifier ';'
@@ -658,7 +657,7 @@ opt_fs_uses             : fs_uses
 fs_uses                 : fs_use_def
                         | fs_uses fs_use_def
                         ;
-fs_use_def              : FSUSEXATTR filesystem security_context_def ';'
+fs_use_def              : FSUSEXATTR filename security_context_def ';'
                         {if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;}
                         | FSUSETASK identifier security_context_def ';'
                         {if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;}
@@ -671,11 +670,11 @@ opt_genfs_contexts      : genfs_contexts
 genfs_contexts          : genfs_context_def
                         | genfs_contexts genfs_context_def
                         ;
-genfs_context_def	: GENFSCON filesystem path '-' identifier security_context_def
+genfs_context_def	: GENFSCON filename path '-' identifier security_context_def
 			{if (define_genfs_context(1)) return -1;}
-			| GENFSCON filesystem path '-' '-' {insert_id("-", 0);} security_context_def
+			| GENFSCON filename path '-' '-' {insert_id("-", 0);} security_context_def
 			{if (define_genfs_context(1)) return -1;}
-                        | GENFSCON filesystem path security_context_def
+                        | GENFSCON filename path security_context_def
 			{if (define_genfs_context(0)) return -1;}
 			;
 ipv4_addr_def		: IPV4_ADDR
@@ -749,17 +748,20 @@ nested_id_element       : identifier | '-' { if (insert_id("-", 0)) return -1; }
 identifier		: IDENTIFIER
 			{ if (insert_id(yytext,0)) return -1; }
 			;
-filesystem		: FILESYSTEM
-                        { if (insert_id(yytext,0)) return -1; }
-                        | IDENTIFIER
-			{ if (insert_id(yytext,0)) return -1; }
-                        ;
 path     		: PATH
 			{ if (insert_id(yytext,0)) return -1; }
 			;
-filename		: FILENAME
-			{ yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; }
-			;
+filename     		: FILENAME
+			{ if (insert_id(yytext,0)) return -1; }
+                        | NUMBER
+			{ if (insert_id(yytext,0)) return -1; }
+                        | IPV4_ADDR
+			{ if (insert_id(yytext,0)) return -1; }
+                        | VERSION_IDENTIFIER
+			{ if (insert_id(yytext,0)) return -1; }
+                        | IDENTIFIER
+			{ if (insert_id(yytext,0)) return -1; }
+                        ;
 number			: NUMBER 
 			{ $$ = strtoul(yytext,NULL,0); }
 			;
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 8abc4d9..ed27bbe 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -220,13 +220,16 @@ POLICYCAP			{ return(POLICYCAP); }
 permissive |
 PERMISSIVE			{ return(PERMISSIVE); }
 "/"({alnum}|[_\.\-/])*	        { return(PATH); }
-\"({alnum}|[_\.\-])+\"			{ return(FILENAME); }
 {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
-{alnum}*{letter}{alnum}*        { return(FILESYSTEM); }
 {digit}+|0x{hexval}+            { return(NUMBER); }
 {digit}{1,3}(\.{digit}{1,3}){3}    { return(IPV4_ADDR); }
 {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*  { return(IPV6_ADDR); }
 {digit}+(\.({alnum}|[_.])*)?    { return(VERSION_IDENTIFIER); }
+\"({alnum}|[_\.\-])+\"		{ return(FILENAME); }
+{alnum}*                        { return(FILENAME); }
+\.({alnum}|[_\.\-])*	        { return(FILENAME); }
+{letter}+([-_\.]|{alnum})+      { return(FILENAME); }
+([_\.]){alnum}+                 { return(FILENAME); }
 #line[ ]1[ ]\"[^\n]*\"		{ set_source_file(yytext+9); }
 #line[ ]{digit}+	        { source_lineno = atoi(yytext+6)-1; }
 #[^\n]*                         { /* delete comments */ }
-- 
1.7.6

Attachment:
0001-checkpolicy-Redo-filename-filesystem-syntax-to-suppo.patch.sig

Description: PGP signature




