Viewing file:  refparser.py (20.25 KB) -rw-r--r--
Select action/file-type:
 (+) |  (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2006 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# OVERVIEW
#
#
# This is a parser for the refpolicy policy "language" - i.e., the
# normal SELinux policy language plus the refpolicy style M4 macro
# constructs on top of that base language. This parser is primarily
# aimed at parsing the policy headers in order to create an abstract
# policy representation suitable for generating policy.
#
# Both the lexer and parser are included in this file. The are implemented
# using the Ply library (included with sepolgen).
import sys
import os
import re
import refpolicy
import access
import defaults
import lex
import yacc
# :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
#
# lexer
#
# :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
tokens = (
# basic tokens, punctuation
'TICK',
'SQUOTE',
'OBRACE',
'CBRACE',
'SEMI',
'COLON',
'OPAREN',
'CPAREN',
'COMMA',
'MINUS',
'TILDE',
'ASTERISK',
'AMP',
'BAR',
'EXPL',
'EQUAL',
'IDENTIFIER',
# reserved words
# object classes
'CLASS',
# types and attributes
'TYPEATTRIBUTE',
'TYPE',
'ATTRIBUTE',
'ALIAS',
'TYPEALIAS',
# conditional policy
'BOOL',
'IF',
'ELSE',
# users and roles
'ROLE',
'TYPES',
# rules
'ALLOW',
'DONTAUDIT',
'AUDITALLOW',
'TYPE_TRANSITION',
'TYPE_CHANGE',
'TYPE_MEMBER',
'RANGE_TRANSITION',
'ROLE_TRANSITION',
# refpolicy keywords
'OPT_POLICY',
'INTERFACE',
'TUNABLE_POLICY',
'GEN_REQ',
'TEMPLATE',
# m4
'IFDEF',
'IFNDEF',
'DEFINE'
)
# All reserved keywords - see t_IDENTIFIER for how these are matched in
# the lexer.
reserved = {
# object classes
'class' : 'CLASS',
# types and attributes
'typeattribute' : 'TYPEATTRIBUTE',
'type' : 'TYPE',
'attribute' : 'ATTRIBUTE',
'alias' : 'ALIAS',
'typealias' : 'TYPEALIAS',
# conditional policy
'bool' : 'BOOL',
'if' : 'IF',
'else' : 'ELSE',
# users and roles
'role' : 'ROLE',
'types' : 'TYPES',
# rules
'allow' : 'ALLOW',
'dontaudit' : 'DONTAUDIT',
'auditallow' : 'AUDITALLOW',
'type_transition' : 'TYPE_TRANSITION',
'type_change' : 'TYPE_CHANGE',
'type_member' : 'TYPE_MEMBER',
'range_transition' : 'RANGE_TRANSITION',
'role_transition' : 'ROLE_TRANSITION',
# refpolicy keywords
'optional_policy' : 'OPT_POLICY',
'interface' : 'INTERFACE',
'tunable_policy' : 'TUNABLE_POLICY',
'gen_require' : 'GEN_REQ',
'template' : 'TEMPLATE',
# M4
'ifndef' : 'IFNDEF',
'ifdef' : 'IFDEF',
'define' : 'DEFINE'
}
# The ply lexer allows definition of tokens in 2 ways: regular expressions
# or functions.
# Simple regex tokens
t_TICK = r'\`'
t_SQUOTE = r'\''
t_OBRACE = r'\{'
t_CBRACE = r'\}'
# This will handle spurios extra ';' via the +
t_SEMI = r'\;+'
t_COLON = r'\:'
t_OPAREN = r'\('
t_CPAREN = r'\)'
t_COMMA = r'\,'
t_MINUS = r'\-'
t_TILDE = r'\~'
t_ASTERISK = r'\*'
t_AMP = r'\&'
t_BAR = r'\|'
t_EXPL = r'\!'
t_EQUAL = r'\='
# Ignore whitespace - this is a special token for ply that more efficiently
# ignores uninteresting tokens.
t_ignore = " \t"
# More complex tokens
def t_m4comment(t):
r'dnl.*\n'
# Ignore all comments
t.lineno += 1
def t_refpolicywarn(t):
r'refpolicywarn\(.*\n'
# Ignore refpolicywarn statements - they sometimes
# contain text that we can't parse.
t.lineno += 1
def t_IDENTIFIER(t):
r'[a-zA-Z_\$][a-zA-Z0-9_\.\$\*]*'
# Handle any keywords
t.type = reserved.get(t.value,'IDENTIFIER')
return t
def t_comment(t):
r'\#.*\n'
# Ignore all comments
t.lineno += 1
def t_error(t):
print "Illegal character '%s'" % t.value[0]
t.skip(1)
def t_newline(t):
r'\n+'
t.lineno += len(t.value)
# :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
#
# Parser
#
# :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
# Global data used during parsing - making it global is easier than
# passing the state through the parsing functions.
# m is the top-level data structure (stands for modules).
m = None
# error is either None (indicating no error) or a string error message.
error = None
# spt is the support macros (e.g., obj/perm sets) - it is an instance of
# refpolicy.SupportMacros and should always be present during parsing
# though it may not contain any macros.
spt = None
# utilities
def collect(stmts, parent, val=None):
if stmts is None:
return
for s in stmts:
if s is None:
continue
s.parent = parent
if val is not None:
parent.children.insert(0, (val, s))
else:
parent.children.insert(0, s)
def expand(ids, s):
for id in ids:
if spt.has_key(id):
s.update(spt.by_name(id))
else:
s.add(id)
# Top-level non-terminal
def p_statements(p):
'''statements : statement
| statements statement
| empty
'''
if len(p) == 2:
m.children.append(p[1])
elif len(p) > 2:
m.children.append(p[2])
def p_statement(p):
'''statement : interface
| template
| obj_perm_set
'''
p[0] = p[1]
# Basic terminals - identifiers and lists of identifiers. These must
# be handled somewhat gracefully. Names returns an IdSet and care must
# be taken that this is _assigned_ to an object to correctly update
# all of the flags (as opposed to using update). The other terminals
# return list - this is to preserve ordering if it is important for
# parsing (for example, interface_call must retain the ordering). Other
# times the list should be used to update an IdSet.
def p_names(p):
'''names : identifier
| nested_id_set
| asterisk
| TILDE identifier
| TILDE nested_id_set
| IDENTIFIER MINUS IDENTIFIER
'''
s = refpolicy.IdSet()
if len(p) < 3:
expand(p[1], s)
elif len(p) == 3:
expand(p[2], s)
s.compliment = True
else:
expand([p[1]])
s.add("-" + p[3])
p[0] = s
def p_identifier(p):
'identifier : IDENTIFIER'
p[0] = [p[1]]
def p_asterisk(p):
'asterisk : ASTERISK'
p[0] = [p[1]]
def p_nested_id_set(p):
'''nested_id_set : OBRACE nested_id_list CBRACE
'''
p[0] = p[2]
def p_nested_id_list(p):
'''nested_id_list : nested_id_element
| nested_id_list nested_id_element
'''
if len(p) == 2:
p[0] = p[1]
else:
p[0] = p[1] + p[2]
def p_nested_id_element(p):
'''nested_id_element : identifier
| MINUS IDENTIFIER
| nested_id_set
'''
if len(p) == 2:
p[0] = p[1]
else:
# For now just leave the '-'
str = "-" + p[2]
p[0] = [str]
def p_interface_call_param(p):
'''interface_call_param : IDENTIFIER
| IDENTIFIER MINUS IDENTIFIER
| nested_id_set
'''
# Intentionally let single identifiers pass through
# List means set, non-list identifier
if len(p) == 2:
p[0] = p[1]
else:
p[0] = [p[1], "-" + p[3]]
def p_interface_call_param_list(p):
'''interface_call_param_list : interface_call_param
| interface_call_param_list COMMA interface_call_param
'''
if len(p) == 2:
p[0] = [p[1]]
else:
p[0] = p[1] + [p[3]]
def p_comma_list(p):
'''comma_list : nested_id_list
| comma_list COMMA nested_id_list
'''
if len(p) > 2:
p[1] = p[1] + p[3]
p[0] = p[1]
def p_optional_semi(p):
'''optional_semi : SEMI
| empty'''
pass
def p_cond_expr(p):
'''cond_expr : IDENTIFIER
| EXPL cond_expr
| cond_expr AMP AMP cond_expr
| cond_expr BAR BAR cond_expr
| cond_expr EQUAL EQUAL cond_expr
| cond_expr EXPL EQUAL cond_expr
'''
l = len(p)
if l == 2:
p[0] = [p[1]]
elif l == 3:
p[0] = [p[1]] + p[2]
else:
p[0] = p[1] + [p[2] + p[3]] + p[4]
def p_empty(p):
'empty :'
pass
# Reference policy language constructs
def p_interface(p):
'''interface : INTERFACE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
'''
x = refpolicy.Interface(p[4])
collect(p[8], x)
p[0] = x
def p_template(p):
'''template : TEMPLATE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
| DEFINE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
'''
x = refpolicy.Template(p[4])
collect(p[8], x)
p[0] = x
def p_interface_stmts(p):
'''interface_stmts : policy
| interface_stmts policy
| empty
'''
if len(p) == 2:
p[0] = p[1]
elif len(p) > 2:
p[0] = p[1] + p[2]
def p_optional_policy(p):
'''
optional_policy : OPT_POLICY OPAREN TICK interface_stmts SQUOTE CPAREN
'''
o = refpolicy.OptionalPolicy()
o.children = p[4]
p[0] = [o]
def p_tunable_policy(p):
'''tunable_policy : TUNABLE_POLICY OPAREN TICK cond_expr SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
| TUNABLE_POLICY OPAREN TICK cond_expr SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
'''
x = refpolicy.TunablePolicy()
x.cond_expr = p[4]
collect(p[8], x, val=True)
if len(p) > 11:
collect(p[12], x, val=False)
p[0] = [x]
def p_ifdef(p):
'''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
| IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
| IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
'''
x = refpolicy.IfDef(p[4])
if p[1] == 'ifdef':
v = True
else:
v = False
collect(p[8], x, val=v)
if len(p) > 12:
collect(p[12], x, val=False)
p[0] = [x]
def p_interface_call(p):
'interface_call : IDENTIFIER OPAREN interface_call_param_list CPAREN'
i = refpolicy.InterfaceCall(ifname=p[1])
i.args.extend(p[3])
p[0] = i
def p_obj_perm_set(p):
'obj_perm_set : DEFINE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK names SQUOTE CPAREN'
s = refpolicy.ObjPermSet(p[4])
s.perms = p[8]
p[0] = s
# Basic SELinux policy language
def p_policy(p):
'''policy : policy_stmt
| optional_policy
| tunable_policy
| ifdef
| conditional
'''
p[0] = p[1]
def p_policy_stmt(p):
'''policy_stmt : gen_require
| avrule_def
| typerule_def
| typeattribute_def
| interface_call
| role_def
| role_allow
| type_def
| typealias_def
| attribute_def
| range_transition_def
| role_transition_def
'''
p[0] = [p[1]]
def p_gen_require(p):
'gen_require : GEN_REQ OPAREN TICK requires SQUOTE CPAREN'
# We ignore the require statements - they are redundant data from our point-of-view.
# Checkmodule will verify them later anyway so we just assume that they match what
# is in the rest of the interface.
pass
def p_requires(p):
'''requires : require
| requires require
| ifdef
| requires ifdef
'''
pass
def p_require(p):
'''require : TYPE comma_list SEMI
| ROLE comma_list SEMI
| ATTRIBUTE comma_list SEMI
| CLASS comma_list SEMI
| BOOL comma_list SEMI
'''
pass
def p_type_def(p):
'''type_def : TYPE IDENTIFIER COMMA comma_list SEMI
| TYPE IDENTIFIER SEMI
| TYPE IDENTIFIER ALIAS names SEMI
| TYPE IDENTIFIER ALIAS names COMMA comma_list SEMI
'''
t = refpolicy.Type(p[2])
if len(p) == 6:
if p[3] == ',':
t.attributes.update(p[4])
else:
t.aliases = p[4]
elif len(p) > 4:
t.aliases = p[4]
if len(p) == 8:
t.attributes.update(p[6])
p[0] = t
def p_attribute_def(p):
'attribute_def : ATTRIBUTE IDENTIFIER SEMI'
a = refpolicy.Attribute(p[2])
p[0] = a
def p_typealias_def(p):
'typealias_def : TYPEALIAS IDENTIFIER ALIAS names SEMI'
t = refpolicy.TypeAlias()
t.type = p[2]
t.aliases = p[4]
p[0] = t
def p_role_def(p):
'role_def : ROLE IDENTIFIER TYPES comma_list SEMI'
r = refpolicy.Role()
r.role = p[2]
r.types.update(p[4])
p[0] = r
def p_role_allow(p):
'role_allow : ALLOW names names SEMI'
r = refpolicy.RoleAllow()
r.src_roles = p[2]
r.tgt_roles = p[3]
p[0] = r
def p_avrule_def(p):
'''avrule_def : ALLOW names names COLON names names SEMI
| DONTAUDIT names names COLON names names SEMI
| AUDITALLOW names names COLON names names SEMI
'''
a = refpolicy.AVRule()
if p[1] == 'dontaudit':
a.rule_type = refpolicy.AVRule.DONTAUDIT
elif p[1] == 'auditallow':
a.rule_type = refpolicy.AVRule.AUDITALLOW
a.src_types = p[2]
a.tgt_types = p[3]
a.obj_classes = p[5]
a.perms = p[6]
p[0] = a
def p_typerule_def(p):
'''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI
| TYPE_CHANGE names names COLON names IDENTIFIER SEMI
| TYPE_MEMBER names names COLON names IDENTIFIER SEMI
'''
t = refpolicy.TypeRule()
if p[1] == 'type_change':
t.rule_type = refpolicy.TypeRule.TYPE_CHANGE
elif p[1] == 'type_member':
t.rule_type = refpolicy.TypeRule.TYPE_MEMBER
t.src_types = p[2]
t.tgt_types = p[3]
t.obj_classes = p[5]
t.dest_type = p[6]
p[0] = t
def p_conditional(p):
''' conditional : IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE
| IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE ELSE OBRACE interface_stmts CBRACE
'''
c = refpolicy.Conditional()
c.cond_expr = p[3]
collect(p[6], c, val=True)
if len(p) > 8:
collect(p[10], c, val=False)
p[0] = [c]
def p_typeattribute_def(p):
'''typeattribute_def : TYPEATTRIBUTE IDENTIFIER comma_list SEMI'''
t = refpolicy.TypeAttribute()
t.type = p[2]
t.attributes.update(p[3])
p[0] = t
def p_mls_level_def(p):
'''mls_level_def : IDENTIFIER COLON comma_list
| IDENTIFIER'''
pass
def p_mls_range_def(p):
'''mls_range_def : mls_level_def MINUS mls_level_def
| mls_level_def
'''
pass
def p_range_transition_def(p):
'''range_transition_def : RANGE_TRANSITION names names COLON names mls_range_def SEMI
| RANGE_TRANSITION names names names SEMI'''
pass
def p_role_transition_def(p):
'''role_transition_def : ROLE_TRANSITION names names names SEMI'''
pass
def p_error(tok):
global error
error = "Syntax error on line %d %s [type=%s]" % (tok.lineno, tok.value, tok.type)
print error
def prep_spt(spt):
if not spt:
return { }
map = {}
for x in spt:
map[x.name] = x
parser = None
lexer = None
def create_globals(module, support, debug):
global parser, lexer, m, spt
if not parser:
lexer = lex.lex()
parser = yacc.yacc(method="LALR", debug=debug, write_tables=0)
if module is not None:
m = module
else:
m = refpolicy.Module()
if not support:
spt = refpolicy.SupportMacros()
else:
spt = support
def parse(text, module=None, support=None, debug=False):
create_globals(module, support, debug)
lexer.lexdata = []
lexer.lexpos = 0
try:
parser.parse(text, debug=debug)
except Exception, e:
global error
error = "internal parser error: %s" % str(e)
if error is not None:
msg = 'could not parse text: "%s"' % error
raise ValueError(msg)
return m
def list_headers(root):
modules = []
support_macros = None
blacklist = ["init.if", "inetd.if", "uml.if", "thunderbird.if"]
for dirpath, dirnames, filenames in os.walk(root):
for name in filenames:
# FIXME: these make the parser barf in various unrecoverable ways, so we must skip
# them.
if name in blacklist:
continue
modname = os.path.splitext(name)
filename = os.path.join(dirpath, name)
if modname[1] == '.spt':
if name == "obj_perm_sets.spt":
support_macros = filename
elif len(re.findall("patterns", modname[0])):
modules.append((modname[0], filename))
elif modname[1] == '.if':
modules.append((modname[0], filename))
return (modules, support_macros)
def parse_headers(root, output=None, expand=True, debug=False):
import util
headers = refpolicy.Headers()
modules = []
support_macros = None
if os.path.isfile(root):
name = os.path.split(root)[1]
if name == '':
raise ValueError("Invalid file name %s" % root)
modname = os.path.splitext(name)
modules.append((modname[0], root))
all_modules, support_macros = list_headers(defaults.headers())
else:
modules, support_macros = list_headers(root)
if expand and not support_macros:
raise ValueError("could not find support macros (obj_perm_sets.spt)")
def o(msg):
if output:
output.write(msg)
def parse_file(f, module, spt=None):
if debug:
o("parsing file %s\n" % f)
try:
fd = open(f)
txt = fd.read()
fd.close()
parse(txt, module, spt, debug)
except IOError, e:
return
except ValueError, e:
raise ValueError("error parsing file %s: %s" % (f, str(e)))
spt = None
if support_macros:
o("Parsing support macros (%s): " % support_macros)
spt = refpolicy.SupportMacros()
parse_file(support_macros, spt)
headers.children.append(spt)
# FIXME: Total hack - add in can_exec rather than parse the insanity
# of misc_macros. We are just going to preten that this is an interface
# to make the expansion work correctly.
can_exec = refpolicy.Interface("can_exec")
av = access.AccessVector(["$1","$2","file","execute_no_trans","read",
"getattr","lock","execute","ioctl"])
can_exec.children.append(refpolicy.AVRule(av))
headers.children.append(can_exec)
o("done.\n")
if output and not debug:
status = util.ConsoleProgressBar(sys.stdout, steps=len(modules))
status.start("Parsing interface files")
failures = []
for x in modules:
m = refpolicy.Module()
m.name = x[0]
try:
if expand:
parse_file(x[1], m, spt)
else:
parse_file(x[1], m)
except ValueError, e:
o(str(e) + "\n")
failures.append(x[1])
continue
headers.children.append(m)
if output and not debug:
status.step()
if len(failures):
o("failed to parse some headers: %s" % ", ".join(failures))
return headers
|