Skip to content

Commit

Permalink
sepolgen: Support named xperms
Browse files Browse the repository at this point in the history
The `allowxperm` et. al. directives take a magical integer for one of
the fields, which hinders readability.  This commit adds support for
basic names for a number or group of numbers.

Notably, this does not support recursive definition of names, as that
would require a larger grammar re-write to avoid parsing conflicts.
  • Loading branch information
ColMelvin committed Mar 30, 2022
1 parent 9df6920 commit ab12659
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 2 deletions.
18 changes: 16 additions & 2 deletions python/sepolgen/src/sepolgen/refparser.py
Original file line number Diff line number Diff line change
Expand Up @@ -349,6 +349,7 @@ def p_statement(p):
'''statement : interface
| template
| obj_perm_set
| obj_xperm_set
| policy
| policy_module_stmt
| module_stmt
Expand Down Expand Up @@ -502,7 +503,15 @@ def p_obj_perm_set(p):
s = refpolicy.ObjPermSet(p[4])
s.perms = p[8]
p[0] = s


def p_obj_xperm_set(p):
'obj_xperm_set : DEFINE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK xperm_set_base SQUOTE CPAREN'
ids = refpolicy.XpermIdentifierDict()
ids.set(p[4], p[8])

p[0] = refpolicy.ObjPermSet(p[4])
p[0].perms = set(p[8])

#
# Basic SELinux policy language
#
Expand Down Expand Up @@ -1049,8 +1058,13 @@ def p_nested_xperm_list(p):
def p_nested_xperm_element(p):
'''nested_xperm_element : xperm_set_base
| nested_xperm_set
| IDENTIFIER
'''
p[0] = p[1]
if isinstance(p[1], refpolicy.XpermSet()):
p[0] = p[1]
else:
ids = refpolicy.XpermIdentifierDict()
p[0] = ids.get(p[1])

def p_xperm_set_base(p):
'''xperm_set_base : xperm_number
Expand Down
18 changes: 18 additions & 0 deletions python/sepolgen/src/sepolgen/refpolicy.py
Original file line number Diff line number Diff line change
Expand Up @@ -413,6 +413,24 @@ def to_string(self):

return "%s{ %s }" % (compl, " ".join(vals))

class XpermIdentifierDict(dict):
"""Extended permission set identifier mapping.
This singleton class holds the mappings between named
extended permission and their numberic value.
"""
def __new__(cls):
if not hasattr(cls, 'instance'):
cls.instance = super(XpermIdentifierDict, cls).__new__(cls)
return cls.instance

def set(self, key, value):
# TODO: warn about redefiniition
self[key] = value

def get(self, key):
return self[key]

# Basic statements

class TypeAttribute(Leaf):
Expand Down

0 comments on commit ab12659

Please sign in to comment.