Re: [PATCH 1/2] sepolgen: Update refparser to handle xperm

Christian Göttsche <cgzones@xxxxxxxxxxxxxx> · Fri, 9 Dec 2022 20:20:16 +0100

On Mon, 1 Aug 2022 at 03:57, <chris.lindee@xxxxxxxxx> wrote:
>
> From: Chris Lindee <chris.lindee+github@xxxxxxxxx>
>
> Extend the grammar to support `allowxperm`, et. al. directives, which
> were added in policy version 30 to give more granular control.  This
> commit adds basic support for the syntax, copying heavily from the
> grammar for `allowperm`, et. al.

Looks good to me; two comments inline.

> Signed-off-by: Chris Lindee <chris.lindee+github@xxxxxxxxx>
> ---
>  python/sepolgen/src/sepolgen/refparser.py | 80 +++++++++++++++++++++++
>  1 file changed, 80 insertions(+)
>
> diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
> index e611637f..1d801f41 100644
> --- a/python/sepolgen/src/sepolgen/refparser.py
> +++ b/python/sepolgen/src/sepolgen/refparser.py
> @@ -67,6 +67,7 @@ tokens = (
>      'FILENAME',
>      'IDENTIFIER',
>      'NUMBER',
> +    'XNUMBER',
>      'PATH',
>      'IPV6_ADDR',
>      # reserved words
> @@ -112,6 +113,10 @@ tokens = (
>      'DONTAUDIT',
>      'AUDITALLOW',
>      'NEVERALLOW',
> +    'ALLOWXPERM',
> +    'DONTAUDITXPERM',
> +    'AUDITALLOWXPERM',
> +    'NEVERALLOWXPERM',
>      'PERMISSIVE',
>      'TYPEBOUNDS',
>      'TYPE_TRANSITION',
> @@ -179,6 +184,10 @@ reserved = {
>      'dontaudit' : 'DONTAUDIT',
>      'auditallow' : 'AUDITALLOW',
>      'neverallow' : 'NEVERALLOW',
> +    'allowxperm' : 'ALLOWXPERM',
> +    'dontauditxperm' : 'DONTAUDITXPERM',
> +    'auditallowxperm' : 'AUDITALLOWXPERM',
> +    'neverallowxperm' : 'NEVERALLOWXPERM',
>      'permissive' : 'PERMISSIVE',
>      'typebounds' : 'TYPEBOUNDS',
>      'type_transition' : 'TYPE_TRANSITION',
> @@ -231,6 +240,12 @@ t_PATH      = r'/[a-zA-Z0-9)_\.\*/\$]*'
>  t_ignore    = " \t"
>
>  # More complex tokens
> +def t_XNUMBER(t):
> +    r'0x[0-9A-Fa-f]+'
> +    # Turn hexadecimal into integer
> +    t.value = int(t.value, 16)
> +    return t
> +
>  def t_IPV6_ADDR(t):
>      r'[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:([a-fA-F0-9]|:)*'
>      # This is a function simply to force it sooner into
> @@ -505,6 +520,7 @@ def p_policy(p):
>  def p_policy_stmt(p):
>      '''policy_stmt : gen_require
>                     | avrule_def
> +                   | avextrule_def
>                     | typerule_def
>                     | typebound_def
>                     | typeattribute_def
> @@ -810,6 +826,26 @@ def p_avrule_def(p):
>      a.perms = p[6]
>      p[0] = a
>
> +def p_avextrule_def(p):
> +    '''avextrule_def : ALLOWXPERM names names COLON names identifier xperm_set SEMI
> +                     | DONTAUDITXPERM names names COLON names identifier xperm_set SEMI
> +                     | AUDITALLOWXPERM names names COLON names identifier xperm_set SEMI
> +                     | NEVERALLOWXPERM names names COLON names identifier xperm_set SEMI
> +    '''
> +    a = refpolicy.AVExtRule()
> +    if p[1] == 'dontauditxperm':
> +        a.rule_type = refpolicy.AVExtRule.DONTAUDITXPERM
> +    elif p[1] == 'auditallowxperm':
> +        a.rule_type = refpolicy.AVExtRule.AUDITALLOWXPERM
> +    elif p[1] == 'neverallowxperm':
> +        a.rule_type = refpolicy.AVExtRule.NEVERALLOWXPERM
> +    a.src_types = p[2]
> +    a.tgt_types = p[3]
> +    a.obj_classes = p[5]
> +    a.operation = p[6]
> +    a.xperms = p[7]
> +    p[0] = a
> +
>  def p_typerule_def(p):
>      '''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI
>                      | TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI
> @@ -987,6 +1023,50 @@ def p_optional_semi(p):
>                     | empty'''
>      pass
>
> +def p_xperm_set(p):
> +    '''xperm_set : nested_xperm_set
> +                 | TILDE nested_xperm_set
> +                 | xperm_set_base
> +                 | TILDE xperm_set_base

maybe include IDENTIFER as option to accept

    allowxperm $1 $2:$3 ioctl $4;

> +    '''
> +    p[0] = p[-1]
> +    if len(p) == 3:
> +        p[0].compliment = True
> +
> +def p_nested_xperm_set(p):
> +    '''nested_xperm_set : OBRACE nested_xperm_list CBRACE
> +    '''
> +    p[0] = p[2]
> +
> +def p_nested_xperm_list(p):
> +    '''nested_xperm_list : nested_xperm_element
> +                         | nested_xperm_list nested_xperm_element
> +    '''
> +    p[0] = p[1]
> +    if len(p) == 3:
> +        p[0].extend(p[2])
> +
> +def p_nested_xperm_element(p):
> +    '''nested_xperm_element : xperm_set_base
> +                            | nested_xperm_set
> +    '''
> +    p[0] = p[1]
> +
> +def p_xperm_set_base(p):
> +    '''xperm_set_base : xperm_number
> +                      | xperm_number MINUS xperm_number
> +    '''
> +    p[0] = refpolicy.XpermSet()
> +    if len(p) == 2:
> +        p[0].add(p[1])
> +    else:
> +        p[0].add(p[1], p[3])

Single numbers might also be enclosed in braces, so maybe add an option

    OBRACE xperm_number CBRACE

and parsing it via

    elif p[1] == '{':
        p[0].add(p[2])

> +
> +def p_xperm_number(p):
> +    '''xperm_number : NUMBER
> +                    | XNUMBER
> +    '''
> +    p[0] = int(p[1])
>
>  #
>  # Interface to the parser
> --
> 2.37.1
>