Skip to content

Commit

Permalink
Support CIDR address notation in nodecon statement
Browse files Browse the repository at this point in the history
Supported since checkpolicy 3.7[1].

[1]: SELinuxProject/selinux@804e52b
  • Loading branch information
cgzones committed May 24, 2024
1 parent dbad37b commit b3053bc
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 0 deletions.
2 changes: 2 additions & 0 deletions src/lex.l
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,9 @@ userdebug_or_eng { return USERDEBUG_OR_ENG; }
[a-zA-Z\$\/][a-zA-Z0-9_\$\*\/\-]* { yylval->string = xstrdup(yytext); return STRING; }
[0-9a-zA-Z\$\/][a-zA-Z0-9_\$\*\/\-]* { yylval->string = xstrdup(yytext); return NUM_STRING; }
[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} { yylval->string = xstrdup(yytext); return IPV4; }
[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/[0-9]{1,2} { yylval->string = xstrdup(yytext); return IPV4_CIDR; }
([0-9A-Fa-f]{1,4})?\:([0-9A-Fa-f\:])*\:([0-9A-Fa-f]{1,4})?(\:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})? { yylval->string = xstrdup(yytext); return IPV6; }
([0-9A-Fa-f]{1,4})?\:([0-9A-Fa-f\:])*\:([0-9A-Fa-f]{1,4})?(\:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})?\/[0-9]{1,3} { yylval->string = xstrdup(yytext); return IPV6_CIDR; }
\"[a-zA-Z0-9_\.\-\:~\$\[\]\/]*\" { yylval->string = xstrdup(yytext); return QUOTED_STRING; }
\-[\-ldbcsp][ \t] { return FILE_TYPE_SPECIFIER; }
\( { return OPEN_PAREN; }
Expand Down
10 changes: 10 additions & 0 deletions src/parse.y
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,9 @@
%token <string> STRING;
%token <string> NUM_STRING;
%token <string> IPV4;
%token <string> IPV4_CIDR;
%token <string> IPV6;
%token <string> IPV6_CIDR;
%token <string> NUMBER;
%token <string> QUOTED_STRING;
%token <string> VERSION_NO;
Expand Down Expand Up @@ -909,6 +911,8 @@ netifcon:

nodecon:
NODECON two_ip_addrs context
|
NODECON cidr_addr context
;

two_ip_addrs:
Expand All @@ -917,6 +921,12 @@ two_ip_addrs:
IPV6 IPV6 { free($1); free($2); }
;

cidr_addr:
IPV4_CIDR { free($1); }
|
IPV6_CIDR { free($1); }
;

fs_use:
FS_USE_TRANS STRING context SEMICOLON { free($2); }
|
Expand Down
2 changes: 2 additions & 0 deletions tests/sample_policy_files/uncommon.te
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,10 @@ optional_policy(`
netifcon lo gen_context(system_u:object_r:lo_netif_t,s0 - mls_systemhigh) gen_context(system_u:object_r:unlabeled_t,s0 - mls_systemhigh)

nodecon 127.0.0.1 255.255.255.255 gen_context(system_u:object_r:system_t:s0)
nodecon 127.0.0.0/24 gen_context(system_u:object_r:system_t:s0)
nodecon ::5 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff gen_context(system_u:object_r:system_t:s0)
nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff gen_context(system_u:object_r:lo_node_t,s0)
nodecon ::1/128 gen_context(system_u:object_r:lo_node_t,s0)

if (!bool_one) {
allow foo_t bar_t:file open;
Expand Down

0 comments on commit b3053bc

Please sign in to comment.