From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
Support network interface names containing wildcards.
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
checkpolicy/policy_parse.y | 8 +++++++-
checkpolicy/policy_scan.l | 1 +
checkpolicy/tests/policy_allonce.conf | 1 +
checkpolicy/tests/policy_allonce.expected.conf | 1 +
checkpolicy/tests/policy_allonce.expected_opt.conf | 1 +
5 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index 7e117222..f9181eaf 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -153,6 +153,7 @@ typedef int (* require_func_t)(int pass);
%token POLICYCAP
%token PERMISSIVE
%token FILESYSTEM
+%token NETIFNAME
%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
%token LOW_HIGH LOW HIGH GLBLUB
%token INVALID_CHAR
@@ -748,7 +749,7 @@ opt_netif_contexts : netif_contexts
netif_contexts : netif_context_def
| netif_contexts netif_context_def
;
-netif_context_def : NETIFCON identifier security_context_def security_context_def
+netif_context_def : NETIFCON netifname security_context_def security_context_def
{if (define_netif_context()) YYABORT;}
;
opt_node_contexts : node_contexts
@@ -901,6 +902,11 @@ path : PATH
filename : FILENAME
{ yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) YYABORT; }
;
+netifname : NETIFNAME
+ { if (insert_id(yytext,0)) YYABORT; }
+ | IDENTIFIER
+ { if (insert_id(yytext,0)) YYABORT; }
+ ;
number : NUMBER
{ unsigned long x;
errno = 0;
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 5fb9ff37..a7b0d559 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -297,6 +297,7 @@ GLBLUB { return(GLBLUB); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*"/"{digit}{1,3} { return(IPV6_CIDR); }
{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
+({alnum}({alnum}|[\*\?_]){0,15}|[\*\?]({alnum}|[\*\?_]){1,15}) { return(NETIFNAME); }
#line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
#line[ ]{digit}+ {
errno = 0;
diff --git a/checkpolicy/tests/policy_allonce.conf b/checkpolicy/tests/policy_allonce.conf
index 95a0f265..37482243 100644
--- a/checkpolicy/tests/policy_allonce.conf
+++ b/checkpolicy/tests/policy_allonce.conf
@@ -74,6 +74,7 @@ genfscon proc "/file1" -- USER1:ROLE1:TYPE1
genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
portcon tcp 80 USER1:ROLE1:TYPE1
portcon udp 100-200 USER1:ROLE1:TYPE1
+netifcon la* USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
nodecon 192.168.42.0 255.255.0.0 USER1:ROLE1:TYPE1
diff --git a/checkpolicy/tests/policy_allonce.expected.conf b/checkpolicy/tests/policy_allonce.expected.conf
index 79d62319..7bbfffd6 100644
--- a/checkpolicy/tests/policy_allonce.expected.conf
+++ b/checkpolicy/tests/policy_allonce.expected.conf
@@ -80,6 +80,7 @@ genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
portcon tcp 80 USER1:ROLE1:TYPE1
portcon udp 100-200 USER1:ROLE1:TYPE1
netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon la* USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
nodecon 127.0.0.0 255.255.255.0 USER1:ROLE1:TYPE1
nodecon 192.168.0.0 255.255.0.0 USER1:ROLE1:TYPE1
diff --git a/checkpolicy/tests/policy_allonce.expected_opt.conf b/checkpolicy/tests/policy_allonce.expected_opt.conf
index fa4e319b..3d0afc68 100644
--- a/checkpolicy/tests/policy_allonce.expected_opt.conf
+++ b/checkpolicy/tests/policy_allonce.expected_opt.conf
@@ -80,6 +80,7 @@ genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
portcon tcp 80 USER1:ROLE1:TYPE1
portcon udp 100-200 USER1:ROLE1:TYPE1
netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon la* USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
nodecon 127.0.0.0 255.255.255.0 USER1:ROLE1:TYPE1
nodecon 192.168.0.0 255.255.0.0 USER1:ROLE1:TYPE1
--
2.45.2
