[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: [PATCH] Initial policyrep patch
From: Karl MacMillan <kmacmillan () mentalrootkit ! com>
Date: 2007-06-25 18:28:55
Message-ID: d060fb6e9bd19573be1a.1182796135 () localhost ! localdomain
[Download RAW message or body]
Initial patch to create a new policyrep branch using C++. This patch includes basic \
classes for representing policy (Node and Parent), a few policy objects, a bison \
parser, a boost::python binding, and basic test infrastructure.
Signed-off-by: User "Karl MacMillan <kmacmillan@mentalrootkit.com>"
---
16 files changed, 2498 insertions(+), 1 deletion(-)
Makefile | 2
libpolicyrep/Makefile | 22
libpolicyrep/include/Makefile | 10
libpolicyrep/include/policyrep/parse.hpp | 36 +
libpolicyrep/include/policyrep/policy.hpp | 169 ++++++
libpolicyrep/include/policyrep/policy_base.hpp | 135 ++++
libpolicyrep/src/Makefile | 76 ++
libpolicyrep/src/parse.cpp | 57 ++
libpolicyrep/src/policy.cpp | 431 +++++++++++++++
libpolicyrep/src/policy_base.cpp | 375 +++++++++++++
libpolicyrep/src/policy_internal.hpp | 1
libpolicyrep/src/policy_parse.y | 675 ++++++++++++++++++++++++
libpolicyrep/src/policy_scan.l | 275 +++++++++
libpolicyrep/src/policyrep_python.cpp | 152 +++++
libpolicyrep/tests/Makefile | 24
libpolicyrep/tests/libpolicyrep-test.cpp | 59 ++
diff -r 570732c1a819 -r d060fb6e9bd1 Makefile
--- a/Makefile Wed Jun 20 12:46:57 2007 -0400
+++ b/Makefile Mon Jun 25 14:25:13 2007 -0400
@@ -1,4 +1,4 @@ SUBDIRS=libsepol libselinux libsemanage
-SUBDIRS=libsepol libselinux libsemanage sepolgen checkpolicy policycoreutils # \
policy +SUBDIRS=libsepol libselinux libsemanage libpolicyrep sepolgen checkpolicy \
policycoreutils # policy PYSUBDIRS=libselinux libsemanage
ifeq ($(DEBUG),1)
diff -r 570732c1a819 -r d060fb6e9bd1 libpolicyrep/Makefile
--- a/libpolicyrep/Makefile Wed Jun 20 12:46:57 2007 -0400
+++ b/libpolicyrep/Makefile Mon Jun 25 14:25:13 2007 -0400
@@ -0,0 +1,22 @@
+all:
+ $(MAKE) -C src
+
+install:
+ $(MAKE) -C include install
+ $(MAKE) -C src install
+
+relabel:
+ $(MAKE) -C src relabel
+
+clean:
+ $(MAKE) -C src clean
+ $(MAKE) -C tests clean
+
+indent:
+ $(MAKE) -C src $@
+ $(MAKE) -C include $@
+ $(MAKE) -C utils $@
+
+test: all
+ $(MAKE) -C tests test
+
diff -r 570732c1a819 -r d060fb6e9bd1 libpolicyrep/include/Makefile
--- a/libpolicyrep/include/Makefile Wed Jun 20 12:46:57 2007 -0400
+++ b/libpolicyrep/include/Makefile Mon Jun 25 14:25:13 2007 -0400
@@ -0,0 +1,10 @@
+# Installation directories.
+PREFIX ?= $(DESTDIR)/usr
+INCDIR ?= $(PREFIX)/include/policyrep
+
+install:
+ test -d $(INCDIR) || install -m 755 -d $(INCDIR)
+ install -m 644 $(wildcard policyrep/*.hpp) $(INCDIR)
+
+indent:
+ ../../scripts/Lindent $(wildcard policyrep/*.hpp)
diff -r 570732c1a819 -r d060fb6e9bd1 libpolicyrep/include/policyrep/parse.hpp
--- a/libpolicyrep/include/policyrep/parse.hpp Wed Jun 20 12:46:57 2007 -0400
+++ b/libpolicyrep/include/policyrep/parse.hpp Mon Jun 25 14:25:13 2007 -0400
@@ -0,0 +1,36 @@
+// Author Karl MacMillan <kmacmillan@mentalrootkit.com>
+
+#ifndef kwm06082007_policy_hpp
+#define kwm06082007_policy_hpp
+
+#include <policyrep/policy.hpp>
+
+#include <string>
+
+namespace policyrep {
+
+ class location;
+
+ class Parser {
+ public:
+ Parser();
+ virtual ~Parser();
+
+ // scanner
+ void scan_begin();
+ void scan_end();
+ bool trace_scanning;
+
+ // Parser
+ Module* parse(const std::string& f);
+ std::string file;
+ bool trace_parsing;
+ Module* pmodule;
+
+ // error handling
+ virtual void error(const policyrep::location& l, const std::string& m);
+ virtual void error(const std::string& m);
+ };
+}
+
+#endif
diff -r 570732c1a819 -r d060fb6e9bd1 libpolicyrep/include/policyrep/policy.hpp
--- a/libpolicyrep/include/policyrep/policy.hpp Wed Jun 20 12:46:57 2007 -0400
+++ b/libpolicyrep/include/policyrep/policy.hpp Mon Jun 25 14:25:13 2007 -0400
@@ -0,0 +1,169 @@
+/* Author: Karl MacMillan <kmacmillan@mentalrootkit.com> */
+
+#ifndef __policy_hpp__
+#define __policy_hpp__
+
+#include <policyrep/policy_base.hpp>
+
+namespace policyrep {
+
+ //
+ // Policy
+ //
+ struct PolicyImpl;
+ class Policy : public Parent {
+ public:
+ Policy(bool mls=false);
+ Policy(const Policy& other);
+ virtual ~Policy() { };
+ void operator=(const Policy& other);
+
+ bool get_mls() const;
+ void set_mls(bool val);
+ virtual void output(std::ostream& o, enum OutputStyle \
style=DEFAULT_OUTPUT) const; + protected:
+ PolicyImpl* impl;
+ };
+ typedef boost::shared_ptr<Policy> PolicyPtr;
+
+ //
+ // Module
+ //
+ struct ModuleImpl;
+ class Module : public Parent {
+ public:
+ Module();
+ Module(const Module& other);
+ Module(std::string name, std::string version);
+ virtual ~Module() { };
+ void operator=(const Module& other);
+
+ std::string get_name() const;
+ void set_name(std::string name);
+ std::string get_version() const;
+ void set_version(std::string version);
+
+ virtual void output(std::ostream& o, enum OutputStyle \
style=DEFAULT_OUTPUT) const; + protected:
+ ModuleImpl* impl;
+ };
+ typedef boost::shared_ptr<Module> ModulePtr;
+
+ //
+ // Type
+ //
+
+ struct TypeImpl;
+ class Type : public Node {
+ public:
+ Type();
+ Type(std::string name);
+ Type(const Type& other);
+ void operator=(const Type& other);
+
+ std::string get_name() const;
+ void set_name(std::string name);
+
+ virtual ~Type() { };
+ StringSet& aliases();
+ StringSet& attributes();
+ virtual void output(std::ostream& o, enum OutputStyle \
style=DEFAULT_OUTPUT) const; + protected:
+ TypeImpl* impl;
+ };
+ typedef boost::shared_ptr<Type> TypePtr;
+
+ //
+ // CommonPerms
+ //
+
+ struct CommonPermsImpl;
+ class CommonPerms : public Node {
+ public:
+ CommonPerms();
+ CommonPerms(std::string name, const StringVector& p);
+ CommonPerms(const CommonPerms& other);
+ virtual ~CommonPerms();
+ void operator=(const CommonPerms& other);
+
+ std::string get_name() const;
+ void set_name(std::string name);
+ StringSet& perms();
+
+ virtual void output(std::ostream& o, enum OutputStyle \
style=DEFAULT_OUTPUT) const; + protected:
+ CommonPermsImpl* impl;
+ };
+ typedef boost::shared_ptr<CommonPerms> CommonPermsPtr;
+
+ //
+ // ObjectClass
+ //
+
+ struct ObjectClassImpl;
+ class ObjectClass : public Node {
+ public:
+ ObjectClass();
+ ObjectClass(std::string name, std::string commons);
+ ObjectClass(std::string name, std::string commons, const \
StringVector& p); + ObjectClass(const ObjectClass& other);
+ virtual ~ObjectClass();
+ void operator=(const ObjectClass& other);
+
+ std::string get_name() const;
+ void set_name(std::string name);
+ StringSet& perms();
+ std::string get_common_perms() const;
+ void set_common_perms(std::string name);
+
+ virtual void output(std::ostream& o, enum OutputStyle \
style=DEFAULT_OUTPUT) const; + protected:
+ ObjectClassImpl* impl;
+ };
+ typedef boost::shared_ptr<ObjectClass> ObjectClassPtr;
+
+ //
+ // InitialSid
+ //
+
+ struct InitialSidImpl;
+ class InitialSid : public Node {
+ public:
+ InitialSid();
+ InitialSid(std::string name);
+ InitialSid(const InitialSid& other);
+ virtual ~InitialSid() { };
+ void operator=(const InitialSid& other);
+
+ std::string get_name() const;
+ void set_name(std::string name);
+
+ virtual void output(std::ostream& o, enum OutputStyle \
style=DEFAULT_OUTPUT) const; + protected:
+ InitialSidImpl* impl;
+ };
+ typedef boost::shared_ptr<InitialSid> InitialSidPtr;
+
+ //
+ // Attribute
+ //
+
+ struct AttributeImpl;
+ class Attribute : public Node {
+ public:
+ Attribute();
+ Attribute(const std::string name);
+ Attribute(const Attribute& other);
+ ~Attribute();
+ void operator=(const Attribute& other);
+
+ std::string get_name() const;
+ void set_name(const std::string name);
+ virtual void output(std::ostream& o, enum OutputStyle style) const;
+ protected:
+ AttributeImpl* impl;
+ };
+ typedef boost::shared_ptr<Attribute> AttributePtr;
+}
+
+#endif
diff -r 570732c1a819 -r d060fb6e9bd1 libpolicyrep/include/policyrep/policy_base.hpp
--- a/libpolicyrep/include/policyrep/policy_base.hpp Wed Jun 20 12:46:57 2007 -0400
+++ b/libpolicyrep/include/policyrep/policy_base.hpp Mon Jun 25 14:25:13 2007 -0400
@@ -0,0 +1,135 @@
+/* Author: Karl MacMillan <kmacmillan@mentalrootkit.com> */
+
+#ifndef __policy_base_hpp__
+#define __policy_base_hpp__
+
+#include <vector>
+#include <set>
+#include <string>
+
+#include <boost/shared_ptr.hpp>
+#include <boost/iterator/iterator_facade.hpp>
+
+namespace policyrep {
+
+ // Forward declarations
+ class Node;
+ typedef boost::shared_ptr<Node> NodePtr;
+
+ class Parent;
+ typedef boost::shared_ptr<Parent> ParentPtr;
+
+ // Convenience typedefs
+ typedef std::vector<NodePtr> NodeVector;
+ typedef boost::shared_ptr<NodeVector> NodeVectorPtr;
+
+ typedef std::set<std::string> StringSet;
+ typedef boost::shared_ptr<StringSet> StringSetPtr;
+
+ typedef std::vector<std::string> StringVector;
+ typedef boost::shared_ptr<StringVector> StringVectorPtr;
+
+ // Output (string output)
+ enum OutputStyle { DEFAULT_OUTPUT, DEBUG_OUTPUT };
+ std::ostream& operator<<(std::ostream& o, const Node& n);
+
+ void output_set_space(std::ostream& o, const StringSet& set);
+ void output_set_comma(std::ostream& o, const StringSet& set);
+
+ class OutputFormat {
+ public:
+ OutputFormat(const Node &n, bool end=false, enum OutputStyle \
style=DEFAULT_OUTPUT); + friend std::ostream& operator<<(std::ostream& \
o, const OutputFormat& op); + private:
+ const Node& m_n;
+ bool m_end;
+ enum OutputStyle m_style;
+ };
+
+ //
+ // NODE
+ //
+
+ struct NodeImpl;
+ class Node {
+ public:
+ Node();
+ Node(const Node& other);
+ virtual ~Node();
+ void operator=(const Node& other);
+
+ void set_parent(Parent& p);
+ Parent& get_parent() const;
+
+ bool get_visited() const;
+ void set_visited(bool val);
+
+ friend std::ostream& operator<<(std::ostream& o, const Node& n);
+ virtual void output(std::ostream& o, enum OutputStyle \
style=DEFAULT_OUTPUT) const; + virtual void output_end(std::ostream& \
o, enum OutputStyle style=DEFAULT_OUTPUT) const; + virtual void \
output_end_brace(std::ostream& o, enum OutputStyle style=DEFAULT_OUTPUT) const; + \
std::string to_string() const; + std::string to_string_end() const;
+ protected:
+ NodeImpl* node_impl;
+ static const int VISITED = 1;
+ };
+
+ //
+ // TreeIterator
+ //
+
+ struct TreeIteratorImpl;
+ class TreeIterator
+ : public boost::iterator_facade<TreeIterator, Node,
+ boost::forward_traversal_tag>
+ {
+ public:
+ enum Strategy { POSTORDER, PREORDER, HYBRID };
+ TreeIterator(enum Strategy strategy=POSTORDER);
+ explicit TreeIterator(Node& n, enum Strategy strategy=POSTORDER);
+ TreeIterator(const TreeIterator& other);
+ virtual ~TreeIterator();
+ void operator=(const TreeIterator& other);
+ bool get_visited() const;
+ private:
+ friend class boost::iterator_core_access;
+ void increment();
+ void increment_preorder();
+ void increment_postorder();
+ bool equal(const TreeIterator& other) const;
+ Node& dereference() const;
+
+ TreeIteratorImpl* impl;
+ };
+
+ //
+ // Parent
+ //
+
+ struct ParentImpl;
+ class Parent : public Node {
+ public:
+ Parent();
+ Parent(const Parent& other);
+ virtual ~Parent();
+ void operator=(const Parent& other);
+ typedef TreeIterator iterator;
+ virtual void append_child(NodePtr Node);
+ virtual NodeVector& children();
+
+ iterator begin(enum TreeIterator::Strategy \
strategy=TreeIterator::POSTORDER); + iterator end();
+ protected:
+ ParentImpl* parent_impl;
+ };
+ typedef boost::shared_ptr<Parent> ParentPtr;
+
+ void output_tree(std::ostream& o, Parent& p,
+ enum OutputStyle style=DEFAULT_OUTPUT);
+
+
+
+} // namespace policyrep
+
+#endif
diff -r 570732c1a819 -r d060fb6e9bd1 libpolicyrep/src/Makefile
--- a/libpolicyrep/src/Makefile Wed Jun 20 12:46:57 2007 -0400
+++ b/libpolicyrep/src/Makefile Mon Jun 25 14:25:13 2007 -0400
@@ -0,0 +1,76 @@
+# Installation directories.
+PREFIX ?= $(DESTDIR)/usr
+LIBDIR ?= $(PREFIX)/lib
+SHLIBDIR ?= $(DESTDIR)/lib
+
+PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % \
sys.version_info[0:2]') +PYINC ?= /usr/include/$(PYLIBVER)
+PYLIB ?= /usr/lib/$(PYLIBVER)
+PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
+PYTHONCPP=policyrep_python.cpp
+PYTHONLOBJ=policyrep_python.lo
+PYTHONSO=policyrep.so
+
+LIBVERSION = 1
+
+PARSERGENERATED=policy_parse.cpp policy_parse.hpp policy_scan.cpp stack.hh \
position.hh scanner-file.cpp location.hh +PARSEROBJS=policy_parse.o policy_scan.o
+PARSERLOBJS=policy_parse.lo policy_scan.lo
+
+LIBA=libpolicyrep.a
+TARGET=libpolicyrep.so
+LIBSO=$(TARGET).$(LIBVERSION)
+OBJS= $(PARSEROBJS) $(patsubst %.cpp,%.o,$(filter-out $(PYTHONCPP), $(wildcard \
*.cpp))) +LOBJS= $(PARSERLOBJS) $(patsubst %.cpp,%.lo,$(filter-out $(PYTHONCPP), \
$(wildcard *.cpp))) +CFLAGS ?= -Wall -W -Wundef -Wmissing-format-attribute \
-Wno-unused-parameter +override CFLAGS += -I. -I../include -D_GNU_SOURCE
+LDFLAGS += -lboost_serialization
+
+all: $(LIBA) $(LIBSO) $(PYTHONSO)
+
+$(LIBA): $(OBJS)
+ $(AR) rcs $@ $^
+ ranlib $@
+
+$(LIBSO): $(LOBJS)
+ g++ $(LDFLAGS) -shared -o $@ $^ -Wl,-soname,$(LIBSO)
+ ln -sf $@ $(TARGET)
+
+$(PYTHONSO): $(PYTHONLOBJ)
+ g++ $(LDFLAGS) -lboost_python -shared -o $@ $< $(LOBJS) -Wl,-soname,$@
+
+$(PYTHONLOBJ): $(PYTHONCPP)
+ g++ $(CFLAGS) -I$(PYINC) -fPIC -DSHARED -c -o $@ $<
+
+%.o: %.cpp
+ g++ $(CFLAGS) -fPIC -c -o $@ $<
+
+%.lo: %.cpp
+ g++ $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
+
+policy_parse.cpp: policy_parse.y
+ bison -o policy_parse.cpp -p policyrep -d policy_parse.y
+
+policy_scan.cpp: policy_scan.l policy_parse.cpp
+ flex policy_scan.l
+
+install: all install-pywrap
+ test -d $(LIBDIR) || install -m 755 -d $(LIBDIR)
+ install -m 644 $(LIBA) $(LIBDIR)
+ test -d $(SHLIBDIR) || install -m 755 -d $(SHLIBDIR)
+ install -m 755 $(LIBSO) $(SHLIBDIR)
+ cd $(LIBDIR) && ln -sf ../../`basename $(SHLIBDIR)`/$(LIBSO) $(TARGET)
+
+install-pywrap:
+ test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d \
$(PYTHONLIBDIR)/site-packages + install -m 755 $(PYTHONSO) \
$(PYTHONLIBDIR)/site-packages +
+relabel:
+ /sbin/restorecon $(SHLIBDIR)/$(LIBSO)
+
+clean:
+ -rm -f $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) $(PYTHONSO) $(PYTHONLOBJ) \
$(PARSERGENERATED) +
+indent:
+ ../../scripts/Lindent $(wildcard *.cpp)
+
diff -r 570732c1a819 -r d060fb6e9bd1 libpolicyrep/src/parse.cpp
--- a/libpolicyrep/src/parse.cpp Wed Jun 20 12:46:57 2007 -0400
+++ b/libpolicyrep/src/parse.cpp Mon Jun 25 14:25:13 2007 -0400
@@ -0,0 +1,57 @@
+/*
+ * Author : Karl MacMillan <kmacmillan@mentalrootkit.com>
+ *
+ * Copyright (C) 2007 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include <policyrep/parse.hpp>
+#include <policyrep/policy.hpp>
+
+#include "policy_parse.hpp"
+
+namespace policyrep {
+
+Parser::Parser()
+ : trace_scanning(false), trace_parsing(false)
+{ }
+
+Parser::~Parser() { }
+
+Module* Parser::parse(const std::string& f)
+{
+ pmodule = new Module;
+ file = f;
+ scan_begin();
+ policy_parser p(*this);
+ p.set_debug_level(trace_parsing);
+ p.parse();
+ scan_end();
+
+ return pmodule;
+}
+
+void Parser::error(const policyrep::location& l, const std::string& m)
+{
+ std::cerr << l << ": " << m << std::endl;
+}
+
+void Parser::error(const std::string& m)
+{
+ std::cerr << m << std::endl;
+}
+
+} // namespace policyrep
diff -r 570732c1a819 -r d060fb6e9bd1 libpolicyrep/src/policy.cpp
--- a/libpolicyrep/src/policy.cpp Wed Jun 20 12:46:57 2007 -0400
+++ b/libpolicyrep/src/policy.cpp Mon Jun 25 14:25:13 2007 -0400
@@ -0,0 +1,431 @@
+/*
+ * Author : Karl MacMillan <kmacmillan@mentalrootkit.com>
+ *
+ * Copyright (C) 2007 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* These must go before policy.hpp to make the
+ * class export work for serialization.
+ */
+
+#include "policy_base_internal.hpp"
+#include <policyrep/policy.hpp>
+
+#include <iostream>
+#include <algorithm>
+#include <fstream>
+#include <sstream>
+
+
+namespace policyrep {
+
+
+ //
+ // Policy
+ //
+
+ struct PolicyImpl
+ {
+ PolicyImpl(bool m=false) : mls(m) { }
+ bool mls;
+ };
+
+
+ Policy::Policy(bool mls)
+ : impl(new PolicyImpl(mls)) { }
+
+ Policy::Policy(const Policy& other)
+ : Parent()
+ {
+ impl = new PolicyImpl;
+ *impl = *other.impl;
+ }
+
+ void Policy::operator=(const Policy& other)
+ {
+ *impl = *impl;
+ }
+
+ bool Policy::get_mls() const
+ {
+ return impl->mls;
+ }
+
+ void Policy::set_mls(bool val)
+ {
+ impl->mls = val;
+ }
+
+ void Policy::output(std::ostream& o, enum OutputStyle style) const
+ {
+ if (style == DEBUG_OUTPUT)
+ o << "[Policy " << this << "]";
+ }
+
+ //
+ // Module
+ //
+
+ struct ModuleImpl
+ {
+ ModuleImpl() { }
+ ModuleImpl(std::string& n, std::string& v) : name(n), version(v) { }
+ std::string name;
+ std::string version;
+ };
+
+ Module::Module() : impl(new ModuleImpl) { }
+
+ Module::Module(const Module& other)
+ : Parent(), impl(new ModuleImpl)
+ {
+ *impl = *other.impl;
+ }
+
+ Module::Module(std::string name, std::string version)
+ : impl(new ModuleImpl(name, version)) { }
+
+ void Module::operator=(const Module& other)
+ {
+ *impl = *other.impl;
+ }
+
+ std::string Module::get_name() const
+ {
+ return impl->name;
+ }
+
+ void Module::set_name(std::string name)
+ {
+ impl->name = name;
+ }
+
+ std::string Module::get_version() const
+ {
+ return impl->version;
+ }
+
+ void Module::set_version(std::string version)
+ {
+ impl->version = version;
+ }
+
+ void Module::output(std::ostream& o, enum OutputStyle style) const
+ {
+ if (style == DEBUG_OUTPUT)
+ o << "[MODULE " << this << "]";
+ o << "module " << impl->name << " " << impl->version << ";";
+ }
+
+ //
+ // Type
+ //
+
+ struct TypeImpl
+ {
+ std::string name;
+ StringSet attributes;
+ StringSet aliases;
+ };
+
+ Type::Type() : impl(new TypeImpl) { }
+
+ Type::Type(std::string name)
+ : impl(new TypeImpl)
+ {
+ impl->name = name;
+ }
+
+ Type::Type(const Type& other)
+ : Node(), impl(new TypeImpl)
+ {
+ *impl = *other.impl;
+ }
+
+ void Type::operator=(const Type& other)
+ {
+ *impl = *other.impl;
+ }
+
+ std::string Type::get_name() const
+ {
+ return impl->name;
+ }
+
+ void Type::set_name(std::string name)
+ {
+ impl->name = name;
+ }
+
+ StringSet& Type::aliases()
+ {
+ return impl->aliases;
+ }
+
+ StringSet& Type::attributes()
+ {
+ return impl->attributes;
+ }
+
+ void Type::output(std::ostream& o, enum OutputStyle style) const
+ {
+ if (style == DEBUG_OUTPUT)
+ o << "[TYPE " << this << "]";
+
+ o << "Type " << impl->name;
+ if (!impl->aliases.empty()) {
+ o << " alias ";
+ output_set_space(o, impl->aliases);
+ }
+ if (!impl->attributes.empty()) {
+ o << ", ";
+ output_set_comma(o, impl->attributes);
+ }
+ o << ";";
+ }
+
+ //
+ // CommonPerms
+ //
+
+ struct CommonPermsImpl
+ {
+ std::string name;
+ StringSet perms;
+ };
+
+ CommonPerms::CommonPerms()
+ : impl(new CommonPermsImpl) { }
+
+ CommonPerms::CommonPerms(std::string name, const StringVector& p)
+ : impl(new CommonPermsImpl)
+ {
+ impl->name = name;
+ impl->perms.insert(p.begin(), p.end());
+ }
+
+ CommonPerms::CommonPerms(const CommonPerms& other)
+ : Node(), impl(new CommonPermsImpl)
+ {
+ *impl = *other.impl;
+ }
+
+ CommonPerms::~CommonPerms()
+ {
+ delete impl;
+ }
+
+ void CommonPerms::operator=(const CommonPerms& other)
+ {
+ *impl = *other.impl;
+ }
+
+ std::string CommonPerms::get_name() const
+ {
+ return impl->name;
+ }
+
+ void CommonPerms::set_name(std::string name)
+ {
+ impl->name = name;
+ }
+
+ StringSet& CommonPerms::perms()
+ {
+ return impl->perms;
+ }
+
+ void CommonPerms::output(std::ostream& o, enum OutputStyle style) const
+ {
+ if (style == DEBUG_OUTPUT)
+ o << "[CommonPerms " << this << "]";
+ o << "common " << impl->name << " ";
+ output_set_space(o, impl->perms);
+ }
+
+ //
+ // ObjectClass
+ //
+
+ struct ObjectClassImpl
+ {
+ std::string name;
+ StringSet perms;
+ std::string common_perms;
+ };
+
+ ObjectClass::ObjectClass() : impl(new ObjectClassImpl) { };
+
+ ObjectClass::ObjectClass(std::string name, std::string commons)
+ : impl(new ObjectClassImpl)
+ {
+ impl->name = name;
+ impl->common_perms = commons;
+ }
+
+ ObjectClass::ObjectClass(std::string name, std::string commons, const StringVector& \
p) + : impl(new ObjectClassImpl)
+ {
+ impl->name = name;
+ impl->common_perms = commons;
+ impl->perms.insert(p.begin(), p.end());
+ }
+
+ ObjectClass::ObjectClass(const ObjectClass& other)
+ : Node(), impl(new ObjectClassImpl)
+ {
+ *impl = *other.impl;
+ }
+
+ ObjectClass::~ObjectClass()
+ {
+ delete impl;
+ }
+
+ void ObjectClass::operator=(const ObjectClass& other)
+ {
+ *impl = *other.impl;
+ }
+
+ std::string ObjectClass::get_name() const
+ {
+ return impl->name;
+ }
+
+ void ObjectClass::set_name(std::string name)
+ {
+ impl->name = name;
+ }
+
+ StringSet& ObjectClass::perms()
+ {
+ return impl->perms;
+ }
+
+ std::string ObjectClass::get_common_perms() const
+ {
+ return impl->common_perms;
+ }
+
+ void ObjectClass::set_common_perms(std::string name)
+ {
+ impl->common_perms = name;
+ }
+
+ void ObjectClass::output(std::ostream& o, enum OutputStyle style) const
+ {
+ if (style == DEBUG_OUTPUT)
+ o << "[ObjectClass " << this << "]";
+ o << "class " << impl->name;
+ if (impl->common_perms != "")
+ o << " inherits " << impl->common_perms;
+ if (!impl->perms.empty()) {
+ o << " ";
+ output_set_space(o, impl->perms);
+ }
+ }
+
+ //
+ // InitialSid
+ //
+
+ struct InitialSidImpl
+ {
+ std::string name;
+ };
+
+ InitialSid::InitialSid()
+ : impl(new InitialSidImpl) { }
+
+ InitialSid::InitialSid(std::string name)
+ : impl(new InitialSidImpl)
+ {
+ impl->name = name;
+ }
+
+ InitialSid::InitialSid(const InitialSid& other)
+ : Node(), impl(new InitialSidImpl)
+ {
+ *impl = *other.impl;
+ }
+
+ std::string InitialSid::get_name() const
+ {
+ return impl->name;
+ }
+
+ void InitialSid::set_name(std::string name)
+ {
+ impl->name = name;
+ }
+
+ void InitialSid::output(std::ostream& o, enum OutputStyle style) const
+ {
+ if (style == DEBUG_OUTPUT)
+ o << "[InitialSid " << this << "]";
+ o << "sid " << impl->name;
+ }
+
+ //
+ // Attribute
+ //
+
+ struct AttributeImpl
+ {
+ std::string name;
+ };
+
+ Attribute::Attribute() : impl(new AttributeImpl) { }
+
+ Attribute::Attribute(const std::string name)
+ : impl(new AttributeImpl)
+ {
+ impl->name = name;
+ }
+
+ Attribute::~Attribute()
+ {
+ delete impl;
+ }
+
+ Attribute::Attribute(const Attribute& other)
+ : Node(), impl(new AttributeImpl)
+ {
+ *impl = *other.impl;
+ }
+
+ void Attribute::operator=(const Attribute& other)
+ {
+ *impl = *other.impl;
+ }
+
+ std::string Attribute::get_name() const
+ {
+ return impl->name;
+ }
+
+ void Attribute::set_name(const std::string name)
+ {
+ impl->name = name;
+ }
+
+ void Attribute::output(std::ostream& o, enum OutputStyle style) const
+ {
+ o << "attribute " << impl->name << ";";
+ }
+
+} // namespace Policyrep
diff -r 570732c1a819 -r d060fb6e9bd1 libpolicyrep/src/policy_base.cpp
--- a/libpolicyrep/src/policy_base.cpp Wed Jun 20 12:46:57 2007 -0400
+++ b/libpolicyrep/src/policy_base.cpp Mon Jun 25 14:25:13 2007 -0400
@@ -0,0 +1,375 @@
+/*
+ * Author : Karl MacMillan <kmacmillan@mentalrootkit.com>
+ *
+ * Copyright (C) 2007 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* These must go before policy_base.hpp to make the
+ * class export work for serialization.
+ */
+
+#include <policyrep/policy_base.hpp>
+#include "policy_base_internal.hpp"
+
+#include <iostream>
+#include <algorithm>
+#include <fstream>
+#include <sstream>
+
+namespace policyrep {
+
+//
+// Output
+//
+
+void output_set_space(std::ostream& o, const StringSet& set)
+{
+ if (set.size() > 1)
+ o << "{ ";
+ StringSet::const_iterator i;
+ bool first = true;
+ for (i = set.begin(); i != set.end(); ++i) {
+ if (first)
+ first = false;
+ else
+ o << " ";
+ o << *i;
+ }
+ if (set.size() > 1)
+ o << " }";
+}
+
+void output_set_comma(std::ostream& o, const StringSet& set)
+{
+ StringSet::const_iterator i;
+ bool first = true;
+ for (i = set.begin(); i != set.end(); ++i) {
+ if (first)
+ first = false;
+ else
+ o << ", ";
+ o << *i;
+ }
+}
+
+std::ostream& operator<<(std::ostream& o, const Node& n)
+{
+ n.output(o);
+ return o;
+}
+
+OutputFormat::OutputFormat(const Node &n, bool end, enum OutputStyle style)
+: m_n(n), m_end(end), m_style(style) { }
+
+std::ostream& operator<<(std::ostream& o, const OutputFormat& op)
+{
+ if (op.m_end)
+ op.m_n.output_end(o, op.m_style);
+ else
+ op.m_n.output(o, op.m_style);
+ return o;
+}
+
+//
+// Node
+//
+
+ struct NodeImpl {
+ Parent* parent;
+ uint32_t flags;
+ template <class Archive>
+ void serialize(Archive& ar, unsigned int file_version)
+ {
+ ar & parent;
+ ar & flags;
+ }
+ };
+
+
+Node::Node()
+{
+ node_impl = new NodeImpl;
+}
+
+Node::Node(const Node& other)
+{
+ node_impl = new NodeImpl;
+ *node_impl = *other.node_impl;
+}
+
+Node::~Node()
+{
+ delete node_impl;
+}
+
+void Node::operator=(const Node& other)
+{
+ *node_impl = *other.node_impl;
+}
+
+void Node::set_parent(Parent& parent)
+{
+ node_impl->parent = &parent;
+}
+
+Parent& Node::get_parent() const
+{
+ return *node_impl->parent;
+}
+
+bool Node::get_visited() const
+{
+ return node_impl->flags & VISITED;
+}
+
+void Node::set_visited(bool val)
+{
+ if (val)
+ node_impl->flags |= VISITED;
+ else
+ node_impl->flags &= ~VISITED;
+}
+
+void Node::output(std::ostream& o, enum OutputStyle style) const
+{
+ if (style == DEBUG_OUTPUT)
+ o << "[Node " << this << "]";
+}
+
+void Node::output_end(std::ostream& o, enum OutputStyle style) const
+{
+ switch (style) {
+ case DEFAULT_OUTPUT:
+ break;
+ case DEBUG_OUTPUT:
+ o << "[END " << typeid(this).name() << " " << this << "]";
+ };
+}
+
+void Node::output_end_brace(std::ostream& o, enum OutputStyle style) const
+{
+ switch (style) {
+ case DEFAULT_OUTPUT:
+ o << "}";
+ break;
+ case DEBUG_OUTPUT:
+ o << "} [" << typeid(this).name() << " " << this << "]";
+ };
+}
+
+std::string Node::to_string() const
+{
+ std::stringstream s;
+ s << *this;
+ return s.str();
+}
+
+std::string Node::to_string_end() const
+{
+ std::stringstream s;
+ s << OutputFormat(*this, true, DEFAULT_OUTPUT);
+ return s.str();
+}
+
+const int Node::VISITED;
+
+//
+// TreeIterator
+//
+
+struct TreeIteratorImpl
+{
+ TreeIteratorImpl(Node* c = 0, enum TreeIterator::Strategy strategy = \
TreeIterator::POSTORDER) : strategy(strategy), cur(c) { } + TreeIterator::Strategy \
strategy; + std::vector<Node*> stack;
+ Node* cur;
+ bool visited;
+};
+
+TreeIterator::TreeIterator(enum Strategy strategy)
+: impl(new TreeIteratorImpl(0, strategy))
+{ }
+
+TreeIterator::TreeIterator(Node& n, enum Strategy strategy)
+ : impl(new TreeIteratorImpl(&n, strategy))
+{
+ n.set_visited(false);
+ impl->stack.push_back(&n);
+ increment();
+}
+
+TreeIterator::TreeIterator(const TreeIterator& other)
+{
+ impl = new TreeIteratorImpl;
+ *impl = *other.impl;
+}
+
+TreeIterator::~TreeIterator()
+{
+ delete impl;
+}
+
+void TreeIterator::operator=(const TreeIterator& other)
+{
+ *impl = *other.impl;
+}
+
+bool TreeIterator::get_visited() const
+{
+ return impl->visited;
+}
+
+void TreeIterator::increment()
+{
+ switch (impl->strategy) {
+ case POSTORDER:
+ this->increment_postorder();
+ break;
+ case PREORDER:
+ case HYBRID:
+ this->increment_preorder();
+ break;
+ };
+}
+
+void TreeIterator::increment_preorder()
+{
+ if (impl->stack.empty()) {
+ impl->cur = NULL;
+ return;
+ }
+ impl->cur = impl->stack.back();
+ impl->visited = impl->cur->get_visited();
+ impl->stack.pop_back();
+
+ Parent* p = dynamic_cast<Parent*>(impl->cur);
+ if (p and !p->get_visited()) {
+ if (impl->strategy == HYBRID) {
+ p->set_visited(true);
+ impl->stack.push_back(impl->cur);
+ }
+ NodeVector::reverse_iterator i;
+ for (i = p->children().rbegin(); i != p->children().rend(); ++i) {
+ (*i)->set_visited(false);
+ impl->stack.push_back(i->get());
+ }
+ }
+}
+
+void TreeIterator::increment_postorder()
+{
+ while (1) {
+ if (impl->stack.empty()) {
+ impl->cur = NULL;
+ return;
+ }
+ Node* n = impl->stack.back();
+ impl->stack.pop_back();
+
+ Parent* p = dynamic_cast<Parent*>(n);
+ if (n->get_visited() || p == 0) {
+ impl->cur = n;
+ break;
+ } else {
+ p->set_visited(true);
+ impl->stack.push_back(n);
+ NodeVector::reverse_iterator i;
+ for (i = p->children().rbegin(); i != p->children().rend(); \
++i) { + (*i)->set_visited(false);
+ impl->stack.push_back(i->get());
+ }
+ }
+ }
+}
+
+bool TreeIterator::equal(const TreeIterator& other) const
+{
+ return impl->cur == other.impl->cur;
+}
+
+Node& TreeIterator::dereference() const
+{
+ return *impl->cur;
+}
+
+//
+// Parent
+//
+
+
+ struct ParentImpl {
+ NodeVector children;
+ template <class Archive>
+ void serialize(Archive& ar, unsigned int file_version)
+ {
+ ar & children;
+ }
+ };
+
+Parent::Parent()
+: parent_impl(new ParentImpl) { }
+
+Parent::Parent(const Parent& other)
+: Node()
+{
+ parent_impl = new ParentImpl;
+ *parent_impl = *other.parent_impl;
+}
+
+Parent::~Parent()
+{
+ delete parent_impl;
+}
+
+void Parent::operator=(const Parent& other)
+{
+ *parent_impl = *other.parent_impl;
+}
+
+void Parent::append_child(NodePtr node)
+{
+ parent_impl->children.push_back(node);
+ node->set_parent(*this);
+}
+
+NodeVector& Parent::children()
+{
+ return parent_impl->children;
+}
+
+Parent::iterator Parent::begin(enum TreeIterator::Strategy strategy)
+{
+ return TreeIterator(*this, strategy);
+}
+
+Parent::iterator Parent::end()
+{
+ return TreeIterator();
+}
+
+void output_tree(std::ostream& o, Parent& p,
+ enum OutputStyle style)
+{
+ Parent::iterator i, end;
+ end = p.end();
+ for (i = p.begin(TreeIterator::HYBRID); i != end; ++i) {
+ o << OutputFormat(*i, i.get_visited(), style) << "\n";
+ }
+ o << std::flush;
+}
+
+} // namespace policyrep
diff -r 570732c1a819 -r d060fb6e9bd1 libpolicyrep/src/policy_internal.hpp
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/libpolicyrep/src/policy_internal.hpp Mon Jun 25 14:25:13 2007 -0400
@@ -0,0 +1,1 @@
+
diff -r 570732c1a819 -r d060fb6e9bd1 libpolicyrep/src/policy_parse.y
--- a/libpolicyrep/src/policy_parse.y Wed Jun 20 12:46:57 2007 -0400
+++ b/libpolicyrep/src/policy_parse.y Mon Jun 25 14:25:13 2007 -0400
@@ -0,0 +1,675 @@
+
+/*
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ */
+
+/*
+ * Updated: Karl MacMillan <kmacmillan@mentalrootkit.com>
+ * Rework the grammar to pass objects rather than relying
+ * on globals. General grammar improvements and removal
+ * of ordering constraints. Conversion to C++.
+ *
+ * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
+ *
+ * Support for enhanced MLS infrastructure.
+ *
+ * Updated: David Caplan, <dac@tresys.com>
+ *
+ * Added conditional policy language extensions
+ *
+ * Updated: Joshua Brindle <jbrindle@tresys.com>
+ * Karl MacMillan <kmacmillan@mentalrootkit.com>
+ * Jason Tang <jtang@tresys.com>
+ *
+ * Added support for binary policy modules
+ *
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * Copyright (C) 2003 - 2005 Tresys Technology, LLC
+ * Copyright (C) 2007 Red Hat Inc.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2.
+ */
+
+/* FLASK */
+
+// Use the C++ skeleton
+%skeleton "lalr1.cc"
+%name-prefix="policyrep"
+%define "parser_class_name" "policy_parser"
+
+%{
+
+#include <policyrep/policy.hpp>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+namespace policyrep {
+
+ class Parser;
+}
+//static int id_has_dot(char *id);
+
+%}
+
+%parse-param { Parser& driver }
+%lex-param { Parser& driver }
+
+%locations
+%initial-action
+{
+ @$.begin.filename = @$.end.filename = &driver.file;
+};
+
+%debug
+%error-verbose
+
+%union {
+ int val;
+ uint32_t uint;
+ unsigned long num;
+ std::string* id;
+ NodeVector* list;
+ StringVector* strings;
+ Node* pnode;
+}
+
+%{
+#include <policyrep/parse.hpp>
+
+policyrep::policy_parser::token_type
+ policyreplex(policyrep::policy_parser::semantic_type* yyval,
+ policyrep::policy_parser::location_type* yylloc,
+ policyrep::Parser& driver);
+
+%}
+
+%type <val> policy module_def //role_mls_op number
+
+//%type <uint> cexpr cexpr_prim op ipv4_addr_def
+
+%type <id> sub_identifier version_identifier asterisk tilde
+
+%type <list> policy_statements //require_decl cond_pol_list cond_else
+//%type <list> require_list cond_rule_def optional_else
+//%type <list> cond_expr
+
+%type <strings> identifier_list nested_id_list nested_id_element names
+%type <strings> id_comma_list nested_id_set
+
+%type <pnode> policy_statement
+%type <pnode> class_def
+%type <pnode> initial_sid_def
+%type <pnode> common_perms_def
+%type <pnode> av_perms_def
+%type <pnode> attribute_def
+/*
+%type <pnode> sensitivity_def dominance category_def level_def
+%type <pnode> mlsconstraint_def mlsvalidatetrans_def te_rbac_decl rbac_decl
+%type <pnode> te_decl attribute_def type_def typealias_def typeattribute_def
+%type <pnode> bool_def bool_val cond_stmt_def transition_def
+%type <pnode> require_block optional_block validatetrans_def
+%type <pnode> require_class require_decl_def range_trans_def
+%type <pnode> te_avtab_def allow_def auditallow_def auditdeny_def dontaudit_def
+%type <pnode> neverallow_def role_type_def role_dominance
+%type <pnode> role_trans_def role_allow_def roles role_def
+%type <pnode> constraint_decl constraint_def
+%type <pnode> user_def initial_sid_context_def fs_context_def port_context_def
+%type <pnode> netif_context_def node_context_def fs_use_def genfs_context_def
+*/
+
+%token END 0
+%token <id> PATH
+%token CLONE
+%token COMMON
+%token CLASS
+%token CONSTRAIN
+%token VALIDATETRANS
+%token INHERITS
+%token SID
+%token ROLE
+%token ROLES
+%token TYPEALIAS
+%token TYPEATTRIBUTE
+%token TYPE
+%token TYPES
+%token ALIAS
+%token ATTRIBUTE
+%token BOOL
+%token IF
+%token ELSE
+%token TYPE_TRANSITION
+%token TYPE_MEMBER
+%token TYPE_CHANGE
+%token ROLE_TRANSITION
+%token RANGE_TRANSITION
+%token SENSITIVITY
+%token DOMINANCE
+%token DOM DOMBY INCOMP
+%token CATEGORY
+%token LEVEL
+%token RANGE
+%token MLSCONSTRAIN
+%token MLSVALIDATETRANS
+%token USER
+%token NEVERALLOW
+%token ALLOW
+%token AUDITALLOW
+%token AUDITDENY
+%token DONTAUDIT
+%token SOURCE
+%token TARGET
+%token SAMEUSER
+%token FSCON PORTCON NETIFCON NODECON
+%token FSUSEXATTR FSUSETASK FSUSETRANS
+%token GENFSCON
+%token U1 U2 U3 R1 R2 R3 T1 T2 T3 L1 L2 H1 H2
+%token NOT AND OR XOR
+%token CTRUE CFALSE
+%token <id> IDENTIFIER
+%token NUMBER
+%token EQUALS
+%token NOTEQUAL
+%token COMMA
+%token SEMI
+%token COLON
+%token LPAREN
+%token RPAREN
+%token LBRACE
+%token RBRACE
+%token RBRACKET
+%token LBRACKET
+%token DASH
+%token PERIOD
+%token IPV6_ADDR
+%token MODULE
+%token REQUIRE OPTIONAL
+%token <id> VERSION_IDENTIFIER
+%token <id> TILDE
+%token <id> ASTERISK
+
+%left OR
+%left XOR
+%left AND
+%right NOT
+%left EQUALS NOTEQUAL
+
+ //%printer { debug_stream() << *$$; }
+ //%destructor { delete $$; }
+
+%%
+policy : policy_statements
+ { \
driver.pmodule->children().insert(driver.pmodule->children().end(), $1->begin(), \
$1->end()); } + | module_def policy_statements
+ { \
driver.pmodule->children().insert(driver.pmodule->children().end(), $2->begin(), \
$2->end()); delete $2; } + ;
+module_def : MODULE IDENTIFIER version_identifier SEMI
+ { driver.pmodule->set_name(*$2); driver.pmodule->set_version(*$3); }
+ ;
+policy_statements : policy_statement
+ { $$ = new NodeVector(1, NodePtr($1)); }
+ | policy_statement policy_statements
+ { $2->insert($2->begin(), NodePtr($1)); $$ = $2; }
+ ;
+policy_statement : class_def
+ | initial_sid_def
+ | common_perms_def
+ | av_perms_def
+ /* TE policy */
+ | attribute_def
+ ;
+class_def : CLASS IDENTIFIER
+ { $$ = new ObjectClass(*$2, ""); }
+ ;
+initial_sid_def : SID IDENTIFIER
+ { $$ = new InitialSid(*$2); }
+ ;
+common_perms_def : COMMON IDENTIFIER LBRACE identifier_list RBRACE
+ { $$ = new CommonPerms(*$2, *$4); }
+ ;
+av_perms_def : CLASS IDENTIFIER LBRACE identifier_list RBRACE
+ { $$ = new ObjectClass(*$2, "", *$4); }
+ | CLASS IDENTIFIER INHERITS IDENTIFIER
+ { $$ = new ObjectClass(*$2, *$4); }
+ | CLASS IDENTIFIER INHERITS IDENTIFIER LBRACE \
identifier_list RBRACE + { $$ = new ObjectClass(*$2, *$4, \
*$6); } + ;
+/*
+sensitivity_def : SENSITIVITY IDENTIFIER alias_def SEMI
+ { $$ = define_sens($2, $3); check($$); }
+ | SENSITIVITY IDENTIFIER SEMI
+ { $$ = define_sens($2, NULL); check($$); }
+ ;
+alias_def : ALIAS names { $$ = $2; }
+ ;
+dominance : DOMINANCE IDENTIFIER
+ { NodeVector tmp = tolist($2); check(tmp); $$ = define_dominance(tmp); check($$); \
} + | DOMINANCE LBRACE IDENTIFIER_list RBRACE
+ { $$ = define_dominance($3); check($$); }
+ ;
+category_def : CATEGORY IDENTIFIER alias_def SEMI
+ { $$ = define_category($2, $3); check($$); }
+ | CATEGORY IDENTIFIER SEMI
+ { $$ = define_category($2, NULL); check($$); }
+ ;
+level_def : LEVEL IDENTIFIER COLON id_comma_list SEMI
+ { $$ = define_level(); check($$); }
+ | LEVEL IDENTIFIER SEMI
+ { $$ = define_level(); check($$); }
+ ;
+mlsconstraint_def : MLSCONSTRAIN names names cexpr SEMI
+ { $$ = define_constraint($4); check($$); }
+ ;
+mlsvalidatetrans_def : MLSVALIDATETRANS names cexpr SEMI
+ { $$ = define_validatetrans($3); check($$); }
+ ;
+*/
+
+attribute_def : ATTRIBUTE IDENTIFIER SEMI
+ { $$ = new Attribute(*$2); }
+ ;
+/*
+type_def : TYPE IDENTIFIER alias_def opt_attr_list SEMI
+ { $$ = define_type(1); check($$); }
+ | TYPE IDENTIFIER opt_attr_list SEMI
+ { $$ = define_type(0); check($$); }
+ ;
+typealias_def : TYPEALIAS IDENTIFIER alias_def SEMI
+ { $$ = define_typealias(); check($$); }
+ ;
+typeattribute_def : TYPEATTRIBUTE IDENTIFIER id_comma_list SEMI
+ { $$ = define_typeattribute(); check($$); }
+ ;
+opt_attr_list : COMMA id_comma_list
+ |
+ ;
+bool_def : BOOL IDENTIFIER bool_val SEMI
+ { $$ = define_bool(); check($$); }
+ ;
+bool_val : CTRUE
+ { if (insert_id("T",0)) return -1; }
+ | CFALSE
+ { if (insert_id("F",0)) return -1; }
+ ;
+cond_stmt_def : IF cond_expr LBRACE cond_pol_list RBRACE cond_else
+ { $$ = define_conditional($2, $4, $6); check($$); }
+ ;
+cond_else : ELSE LBRACE cond_pol_list RBRACE
+ { $$ = $3; check($$); }
+ | { $$ = empty_list(); check($$); }
+ ;
+cond_expr : LPAREN cond_expr RPAREN
+ { $$ = $2; check($$); }
+ | NOT cond_expr
+ { $$ = define_cond_expr(COND_NOT, $2, 0); check($$); }
+ | cond_expr AND cond_expr
+ { $$ = define_cond_expr(COND_AND, $1, $3); check($$); }
+ | cond_expr OR cond_expr
+ { $$ = define_cond_expr(COND_OR, $1, $3); check($$); }
+ | cond_expr XOR cond_expr
+ { $$ = define_cond_expr(COND_XOR, $1, $3); check($$); }
+ | cond_expr EQUALS cond_expr
+ { $$ = define_cond_expr(COND_EQ, $1, $3); check($$); }
+ | cond_expr NOTEQUAL cond_expr
+ { $$ = define_cond_expr(COND_NEQ, $1, $3); check($$); }
+ | IDENTIFIER
+ { $$ = define_cond_expr(COND_BOOL,0, 0); check($$); }
+ ;
+cond_pol_list : cond_rule_def { $$ = $1; check($$); }
+ | cond_pol_list cond_rule_def { $$ = collect(2, $1, $2); check($$); }
+ ;
+cond_rule_def : transition_def { $$ = tolist($1); check($$); }
+ | te_avtab_def { $$ = tolist($1); check($$); }
+ | require_block { $$ = empty_list(); check($$); }
+ ;
+require_block : REQUIRE LBRACE require_list RBRACE { $$ = \
define_require_block($3); check($$); } + ;
+require_list : require_list require_decl { $$ = collect(2, $1, $2); \
check($$); } + | require_decl { $$ = $1; check($$); }
+ ;
+require_decl : require_class { $$ = tolist($1); check($$); }
+ | require_decl_def { $$ = tolist($1); check($$); }
+ ;
+require_class : CLASS IDENTIFIER names SEMI { $$ = define_require_class(); \
check($$); } + ;
+require_decl_def : ROLE id_comma_list SEMI { $$ = define_require_role(); \
check($$); } + | TYPE id_comma_list SEMI { $$ = define_require_type(); check($$); }
+ | ATTRIBUTE id_comma_list SEMI { $$ = \
define_require_attribute(); check($$); } + | USER \
id_comma_list SEMI { $$ = define_require_user(); check($$); } + \
| BOOL id_comma_list SEMI { $$ = define_require_bool(); check($$); } + \
| SENSITIVITY id_comma_list SEMI { $$ = define_require_sensitivity(); check($$); } + \
| CATEGORY id_comma_list SEMI { $$ = define_require_category(); check($$); } + \
; +optional_block : OPTIONAL LBRACE policy_statements RBRACE optional_else
+ { $$ = define_optional_block($3, $5); check($$); }
+ ;
+optional_else : ELSE LBRACE policy_statements RBRACE { $$ = $3; check($$); \
} + | { $$ = empty_list(); check($$); }
+ ;
+transition_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI
+ { $$ = define_compute_type(AVRULE_TRANSITION); check($$); }
+ | TYPE_MEMBER names names COLON names IDENTIFIER SEMI
+ { $$ = define_compute_type(AVRULE_MEMBER); check($$); }
+ | TYPE_CHANGE names names COLON names IDENTIFIER SEMI
+ { $$ = define_compute_type(AVRULE_CHANGE); check($$); }
+ ;
+range_trans_def : RANGE_TRANSITION names names mls_range_def SEMI
+ { $$ = define_range_trans(0); check($$); }
+ | RANGE_TRANSITION names names COLON names mls_range_def SEMI
+ { $$ = define_range_trans(1); check($$); }
+ ;
+te_avtab_def : allow_def
+ | auditallow_def
+ | auditdeny_def
+ | dontaudit_def
+ | neverallow_def
+ ;
+allow_def : ALLOW names names COLON names names SEMI
+ { $$ = define_te_avtab(AVRULE_ALLOWED); check($$); }
+ ;
+auditallow_def : AUDITALLOW names names COLON names names SEMI
+ { $$ = define_te_avtab(AVRULE_AUDITALLOW); check($$); }
+ ;
+auditdeny_def : AUDITDENY names names COLON names names SEMI
+ { $$ = define_te_avtab(AVRULE_AUDITDENY); check($$); }
+ ;
+dontaudit_def : DONTAUDIT names names COLON names names SEMI
+ { $$ = define_te_avtab(AVRULE_DONTAUDIT); check($$); }
+ ;
+neverallow_def : NEVERALLOW names names COLON names names SEMI
+ { $$ = define_te_avtab(AVRULE_NEVERALLOW); check($$); }
+ ;
+role_type_def : ROLE IDENTIFIER TYPES names SEMI
+ { $$ = define_role_types(); check($$); }
+ | ROLE IDENTIFIERSEMI
+ { $$ = define_role_types(); check($$); }
+ ;
+role_dominance : DOMINANCE LBRACE roles RBRACE { $$ = $3; check($$); }
+ ;
+role_trans_def : ROLE_TRANSITION names names IDENTIFIER SEMI
+ { $$ = define_role_trans(); check($$); }
+ ;
+role_allow_def : ALLOW names names SEMI
+ { $$ = define_role_allow(); check($$); }
+ ;
+roles : role_def
+ { $$ = $1; check($$); }
+ | roles role_def
+ { $$ = merge_roles_dom($1, $2); check($$); }
+ ;
+role_def : ROLE IDENTIFIER_push SEMI
+ { $$ = define_role_dom(NULL); check($$); }
+ | ROLE IDENTIFIER_push LBRACE roles RBRACE
+ { $$ = define_role_dom($4); check($$); }
+ ;
+constraint_decl : constraint_def
+ | validatetrans_def
+ ;
+constraint_def : CONSTRAIN names names cexpr SEMI
+ { $$ = define_constraint($4); check($$); }
+ ;
+validatetrans_def : VALIDATETRANS names cexpr SEMI
+ { $$ = define_validatetrans($3); check($$); }
+ ;
+cexpr : LPAREN cexpr RPAREN
+ { $$ = $2; }
+ | NOT cexpr
+ { $$ = define_cexpr(CEXPR_NOT, $2, 0);
+ if ($$ == 0) return -1; }
+ | cexpr AND cexpr
+ { $$ = define_cexpr(CEXPR_AND, $1, $3);
+ if ($$ == 0) return -1; }
+ | cexpr OR cexpr
+ { $$ = define_cexpr(CEXPR_OR, $1, $3);
+ if ($$ == 0) return -1; }
+ | cexpr_prim
+ { $$ = $1; }
+ ;
+cexpr_prim : U1 op U2
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, $2);
+ if ($$ == 0) return -1; }
+ | R1 role_mls_op R2
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2);
+ if ($$ == 0) return -1; }
+ | T1 op T2
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2);
+ if ($$ == 0) return -1; }
+ | U1 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2);
+ if ($$ == 0) return -1; }
+ | U2 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2);
+ if ($$ == 0) return -1; }
+ | U3 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2);
+ if ($$ == 0) return -1; }
+ | R1 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, $2);
+ if ($$ == 0) return -1; }
+ | R2 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), $2);
+ if ($$ == 0) return -1; }
+ | R3 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_XTARGET), $2);
+ if ($$ == 0) return -1; }
+ | T1 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, $2);
+ if ($$ == 0) return -1; }
+ | T2 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), $2);
+ if ($$ == 0) return -1; }
+ | T3 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_XTARGET), $2);
+ if ($$ == 0) return -1; }
+ | SAMEUSER
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, CEXPR_EQ);
+ if ($$ == 0) return -1; }
+ | SOURCE ROLE { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, CEXPR_EQ);
+ if ($$ == 0) return -1; }
+ | TARGET ROLE { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), CEXPR_EQ);
+ if ($$ == 0) return -1; }
+ | ROLE role_mls_op
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2);
+ if ($$ == 0) return -1; }
+ | SOURCE TYPE { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, CEXPR_EQ);
+ if ($$ == 0) return -1; }
+ | TARGET TYPE { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), CEXPR_EQ);
+ if ($$ == 0) return -1; }
+ | L1 role_mls_op L2
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1L2, $2);
+ if ($$ == 0) return -1; }
+ | L1 role_mls_op H2
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H2, $2);
+ if ($$ == 0) return -1; }
+ | H1 role_mls_op L2
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1L2, $2);
+ if ($$ == 0) return -1; }
+ | H1 role_mls_op H2
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1H2, $2);
+ if ($$ == 0) return -1; }
+ | L1 role_mls_op H1
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H1, $2);
+ if ($$ == 0) return -1; }
+ | L2 role_mls_op H2
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L2H2, $2);
+ if ($$ == 0) return -1; }
+ ;
+op : EQUALS
+ { $$ = CEXPR_EQ; }
+ | NOTEQUAL
+ { $$ = CEXPR_NEQ; }
+ ;
+role_mls_op : op
+ { $$ = $1; }
+ | DOM
+ { $$ = CEXPR_DOM; }
+ | DOMBY
+ { $$ = CEXPR_DOMBY; }
+ | INCOMP
+ { $$ = CEXPR_INCOMP; }
+ ;
+user_def : USER IDENTIFIER ROLES names opt_mls_user SEMI
+ { $$ = define_user(); check($$); }
+ ;
+opt_mls_user : LEVEL mls_level_def RANGE mls_range_def
+ |
+ ;
+initial_sid_context_def : SID IDENTIFIER security_context_def
+ { $$ = define_initial_sid_context(); check($$); }
+ ;
+fs_context_def : FSCON number number security_context_def security_context_def
+ { $$ = define_fs_context($2,$3); check($$); }
+ ;
+port_context_def : PORTCON IDENTIFIER number security_context_def
+ { $$ = define_port_context($3,$3); check($$); }
+ | PORTCON IDENTIFIER number DASH number security_context_def
+ { $$ = define_port_context($3,$5); check($$); }
+ ;
+netif_context_def : NETIFCON IDENTIFIER security_context_def security_context_def
+ { $$ = define_netif_context(); }
+ ;
+node_context_def : NODECON ipv4_addr_def ipv4_addr_def security_context_def
+ { $$ = define_ipv4_node_context($2,$3); check($$); }
+ | NODECON ipv6_addr ipv6_addr security_context_def
+ { $$ = define_ipv6_node_context(); check($$); }
+ ;
+fs_use_def : FSUSEXATTR IDENTIFIER security_context_def SEMI
+ { $$ = define_fs_use(SECURITY_FS_USE_XATTR); check($$); }
+ | FSUSETASK IDENTIFIER security_context_def SEMI
+ { $$ = define_fs_use(SECURITY_FS_USE_TASK); check($$); }
+ | FSUSETRANS IDENTIFIER security_context_def SEMI
+ { $$ = define_fs_use(SECURITY_FS_USE_TRANS); check($$); }
+ ;
+genfs_context_def : GENFSCON IDENTIFIER path DASH IDENTIFIER security_context_def
+ { $$ = define_genfs_context(1); check($$); }
+ | GENFSCON IDENTIFIER path DASH DASH {insert_id("-", 0);} security_context_def
+ { $$ = define_genfs_context(1); check($$); }
+ | GENFSCON IDENTIFIER path security_context_def
+ { $$ = define_genfs_context(0); check($$); }
+ ;
+ipv4_addr_def : number PERIOD number PERIOD number PERIOD number
+ {
+ uint32_t addr;
+ unsigned char *p = ((unsigned char *)&addr);
+
+ p[0] = $1 & 0xff;
+ p[1] = $3 & 0xff;
+ p[2] = $5 & 0xff;
+ p[3] = $7 & 0xff;
+ $$ = addr;
+ }
+ ;
+security_context_def : IDENTIFIER COLON IDENTIFIER COLON IDENTIFIER \
opt_mls_range_def + ;
+opt_mls_range_def : COLON mls_range_def
+ |
+ ;
+mls_range_def : mls_level_def DASH mls_level_def
+ {if (insert_separator(0)) return -1;}
+ | mls_level_def
+ {if (insert_separator(0)) return -1;}
+ ;
+mls_level_def : IDENTIFIER COLON id_comma_list
+ {if (insert_separator(0)) return -1;}
+ | IDENTIFIER
+ {if (insert_separator(0)) return -1;}
+ ;
+*/
+id_comma_list : IDENTIFIER { $$ = new StringVector(1, $1); }
+ | id_comma_list COMMA IDENTIFIER
+ { $1->push_back($3); $$ = $1; }
+ ;
+tilde : TILDE { $$ = $<id>1; }
+ ;
+asterisk : ASTERISK { $$ = $<id>1; }
+ ;
+names : IDENTIFIER { $$ = new string_vector(1, *$1); }
+ | nested_id_set
+ | asterisk { $$ = new string_vector(1, *$1); }
+ | tilde IDENTIFIER
+ { string_vector* p = new string_vector(1, *$1);
+ p->push_back(*$2); $$ = p; }
+ | tilde nested_id_set
+ { string_vector* p = new string_vector(1, *$1);
+ p->insert(p->end(), $2->begin(), $2->end());
+ $$ = p; }
+ | IDENTIFIER sub_identifier
+ { string_vector* p = new string_vector(1, *$1); p->push_back(*$2); $$ = p; }
+ ;
+/*
+tilde_push : tilde
+ { if (insert_id("~", 1)) return -1; }
+ ;
+asterisk_push : asterisk
+ { if (insert_id("*", 1)) return -1; }
+ ;
+names_push : identifier_push
+ | LBRACE identifier_list_push RBRACE
+ | asterisk_push
+ | tilde_push identifier_push
+ | tilde_push LBRACE identifier_list_push RBRACE
+ ;
+identifier_list_push : IDENTIFIER { $$ = StringVectorPtr(new StringVector($1)); }
+ | IDENTIFIER_list_push IDENTIFIER
+ { $1->insert($1->end(), $2->rbegin(), $->rend()); $$ = $1; }
+ ;
+*/
+identifier_list : IDENTIFIER { $$ = new StringVector(1, *$1); }
+ | identifier_list IDENTIFIER
+ { $1->push_back(*$2); $$ = $1; }
+ ;
+nested_id_set : LBRACE nested_id_list RBRACE { $$ = $2; }
+ ;
+nested_id_list : nested_id_element
+ | nested_id_list nested_id_element
+ { $1->insert($1->end(), $2->begin(), $2->end()); $$ = $1; }
+ ;
+nested_id_element : IDENTIFIER { $$ = new StringVector(1, *$1); }
+ | sub_identifier { $$ = new StringVector(1, *$1); }
+ | nested_id_set
+ ;
+version_identifier : VERSION_IDENTIFIER { $$ = $<id>1; }
+ ;
+sub_identifier : DASH IDENTIFIER { $$ = new std::string("-") + *$2 }
+ ;
+/*
+number : NUMBER
+ { $$ = strtoul(yytext,NULL,0); }
+ ;
+ipv6_addr : IPV6_ADDR
+ { if (insert_id(yytext,0)) return -1; }
+ ;
+version_identifier : VERSION_IDENTIFIER
+ ;
+*/
+%%
+
+namespace policyrep {
+
+ void policy_parser::error(const policy_parser::location_type& l,
+ const std::string& m)
+ {
+ driver.error(l, m);
+ }
+
+
+ /* If the identifier has a dot within it and that its first character
+ is not a dot then return 1, else return 0. */
+
+static int id_has_dot(char *id)
+ {
+ if (strchr(id, '.') >= id + 1) {
+ return 1;
+ }
+ return 0;
+ }
+} // namespace policyrep
+
+/* FLASK */
+
+
diff -r 570732c1a819 -r d060fb6e9bd1 libpolicyrep/src/policy_scan.l
--- a/libpolicyrep/src/policy_scan.l Wed Jun 20 12:46:57 2007 -0400
+++ b/libpolicyrep/src/policy_scan.l Mon Jun 25 14:25:13 2007 -0400
@@ -0,0 +1,275 @@
+
+/*
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ */
+
+/* Updated: Karl MacMillan <kmacmillan@mentalrootkit.com>
+ * Converted to C++
+ *
+ * Updated: David Caplan, <dac@tresys.com>
+ *
+ * Added conditional policy language extensions
+ *
+ * Jason Tang <jtang@tresys.com>
+ *
+ * Added support for binary policy modules
+ *
+ * Copyright (C) 2007 Red Hat, Inc.
+ * Copyright (C) 2003-5 Tresys Technology, LLC
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2.
+ */
+
+/* FLASK */
+
+%{
+#include "policy_parse.hpp"
+#include <policyrep/parse.hpp>
+
+#include <stdexcept>
+#include <string>
+
+static int is_valid_identifier(char *id);
+
+#define YY_DECL \
+ policyrep::policy_parser::token_type \
+ policyreplex(policyrep::policy_parser::semantic_type* yylval, \
+ policyrep::policy_parser::location_type* yylloc, \
+ policyrep::Parser& driver)
+
+#define yyterminate() return token::END
+
+%}
+
+%option noyywrap nounput batch debug
+%option outfile="policy_scan.cpp" header-file="scanner-file.cpp"
+
+%array
+letter [A-Za-z]
+digit [0-9]
+hexval [0-9A-Fa-f]
+version [0-9]+(\.[A-Za-z0-9_.]*)?
+
+%{
+typedef policyrep::policy_parser::token token;
+#define YY_USER_ACTION yylloc->columns(yyleng);
+%}
+
+%%
+
+%{
+ yylloc->step();
+%}
+
+\n.* { yylloc->lines(yyleng); yylloc->step(); yyless(1); }
+
+CLONE |
+clone { return token::CLONE; }
+COMMON |
+common { return token::COMMON; }
+CLASS |
+class { return token::CLASS; }
+CONSTRAIN |
+constrain { return token::CONSTRAIN; }
+VALIDATETRANS |
+validatetrans { return token::VALIDATETRANS; }
+INHERITS |
+inherits { return token::INHERITS; }
+SID |
+sid { return token::SID; }
+ROLE |
+role { return token::ROLE; }
+ROLES |
+roles { return token::ROLES; }
+TYPES |
+types { return token::TYPES; }
+TYPEALIAS |
+typealias { return token::TYPEALIAS; }
+TYPEATTRIBUTE |
+typeattribute { return token::TYPEATTRIBUTE; }
+TYPE |
+type { return token::TYPE; }
+BOOL |
+bool { return token::BOOL; }
+IF |
+if { return token::IF; }
+ELSE |
+else { return token::ELSE; }
+ALIAS |
+alias { return token::ALIAS; }
+ATTRIBUTE |
+attribute { return token::ATTRIBUTE; }
+TYPE_TRANSITION |
+type_transition { return token::TYPE_TRANSITION; }
+TYPE_MEMBER |
+type_member { return token::TYPE_MEMBER; }
+TYPE_CHANGE |
+type_change { return token::TYPE_CHANGE; }
+ROLE_TRANSITION |
+role_transition { return token::ROLE_TRANSITION; }
+RANGE_TRANSITION |
+range_transition { return token::RANGE_TRANSITION; }
+SENSITIVITY |
+sensitivity { return token::SENSITIVITY; }
+DOMINANCE |
+dominance { return token::DOMINANCE; }
+CATEGORY |
+category { return token::CATEGORY; }
+LEVEL |
+level { return token::LEVEL; }
+RANGE |
+range { return token::RANGE; }
+MLSCONSTRAIN |
+mlsconstrain { return token::MLSCONSTRAIN; }
+MLSVALIDATETRANS |
+mlsvalidatetrans { return token::MLSVALIDATETRANS; }
+USER |
+user { return token::USER; }
+NEVERALLOW |
+neverallow { return token::NEVERALLOW; }
+ALLOW |
+allow { return token::ALLOW; }
+AUDITALLOW |
+auditallow { return token::AUDITALLOW; }
+AUDITDENY |
+auditdeny { return token::AUDITDENY; }
+DONTAUDIT |
+dontaudit { return token::DONTAUDIT; }
+SOURCE |
+source { return token::SOURCE; }
+TARGET |
+target { return token::TARGET; }
+SAMEUSER |
+sameuser { return token::SAMEUSER;}
+module|MODULE { return token::MODULE; }
+require|REQUIRE { return token::REQUIRE; }
+optional|OPTIONAL { return token::OPTIONAL; }
+OR |
+or { return token::OR;}
+AND |
+and { return token::AND;}
+NOT |
+not { return token::NOT;}
+xor |
+XOR { return token::XOR; }
+eq |
+EQ { return token::EQUALS;}
+true |
+TRUE { return token::CTRUE; }
+false |
+FALSE { return token::CFALSE; }
+dom |
+DOM { return token::DOM;}
+domby |
+DOMBY { return token::DOMBY;}
+INCOMP |
+incomp { return token::INCOMP;}
+fscon |
+FSCON { return token::FSCON;}
+portcon |
+PORTCON { return token::PORTCON;}
+netifcon |
+NETIFCON { return token::NETIFCON;}
+nodecon |
+NODECON { return token::NODECON;}
+fs_use_xattr |
+FS_USE_XATTR { return token::FSUSEXATTR;}
+fs_use_task |
+FS_USE_TASK { return token::FSUSETASK;}
+fs_use_trans |
+FS_USE_TRANS { return token::FSUSETRANS;}
+genfscon |
+GENFSCON { return token::GENFSCON;}
+r1 |
+R1 { return token::R1; }
+r2 |
+R2 { return token::R2; }
+r3 |
+R3 { return token::R3; }
+u1 |
+U1 { return token::U1; }
+u2 |
+U2 { return token::U2; }
+u3 |
+U3 { return token::U3; }
+t1 |
+T1 { return token::T1; }
+t2 |
+T2 { return token::T2; }
+t3 |
+T3 { return token::T3; }
+l1 |
+L1 { return token::L1; }
+l2 |
+L2 { return token::L2; }
+h1 |
+H1 { return token::H1; }
+h2 |
+H2 { return token::H2; }
+"/"({letter}|{digit}|_|"."|"-"|"/")* { yylval->id = new std::string(yytext); return \
token::PATH; } +{letter}({letter}|{digit}|_|"."|"-")* { if \
(is_valid_identifier(yytext)) { + yylval->id = new \
std::string(yytext); + return token::IDENTIFIER;
+ } else {
+ REJECT;
+ }
+ }
+{digit}{digit}* { yylval->num = strtoul(yytext, NULL, 0); return \
token::NUMBER; } +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":"|".")* { yylval->id = \
new std::string(yytext); + \
return token::IPV6_ADDR; } +{version}/([ \t\f]*;) { yylval->id = new \
std::string(yytext); return token::VERSION_IDENTIFIER; } +#line[ ]1[ ]\"[^\n]*\" { \
yylloc->lines(1); } +#line[ ]{digit}{digit}* { yylloc->lines(atoi(yytext+6)-1); }
+#[^\n]* { yylloc->lines(yyleng); yylloc->step(); }
+[ \t\f]+ { }
+"==" { return token::EQUALS; }
+"!=" { return token::NOTEQUAL; }
+"&&" { return token::AND; }
+"||" { return token::OR; }
+"!" { return token::NOT; }
+"^" { return token::XOR; }
+"," { return token::COMMA; }
+":" { return token::COLON; }
+";" { return token::SEMI; }
+"(" { return token::LPAREN; }
+")" { return token::RPAREN; }
+"{" { return token::LBRACE; }
+"}" { return token::RBRACE; }
+"[" { return token::LBRACKET; }
+"-" { return token::DASH; }
+"." { return token::PERIOD; }
+"]" { return token::RBRACKET; }
+"~" { return token::TILDE; }
+"*" { return token::ASTERISK; }
+. { driver.error(*yylloc, "unrecognized character"); }
+%%
+
+static int is_valid_identifier(char *id) {
+ if ((strrchr(id, '.')) != NULL) {
+ if (strstr(id, "..") != NULL) {
+ /* identifier has consecutive '.' */
+ return 0;
+ }
+ if (id[strlen(id) - 1] == '.') {
+ /* identifier ends in '.' */
+ return 0;
+ }
+ }
+ return 1;
+}
+
+// implementation from parse.hpp
+void policyrep::Parser::scan_begin()
+{
+ yy_flex_debug = trace_scanning;
+ if (!(yyin = fopen(file.c_str(), "r"))) {
+ error(std::string("cannot open ") + file);
+ throw std::invalid_argument("no such file: " + file);
+ }
+}
+
+void policyrep::Parser::scan_end()
+{
+ fclose(yyin);
+}
diff -r 570732c1a819 -r d060fb6e9bd1 libpolicyrep/src/policyrep_python.cpp
--- a/libpolicyrep/src/policyrep_python.cpp Wed Jun 20 12:46:57 2007 -0400
+++ b/libpolicyrep/src/policyrep_python.cpp Mon Jun 25 14:25:13 2007 -0400
@@ -0,0 +1,152 @@
+/*
+ * Author : Karl MacMillan <kmacmillan@mentalrootkit.com>
+ *
+ * Copyright (C) 2007 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include <sstream>
+
+#include <policyrep/policy.hpp>
+#include <policyrep/parse.hpp>
+
+using namespace policyrep;
+
+#include <boost/python.hpp>
+#include <boost/python/suite/indexing/vector_indexing_suite.hpp>
+#include <boost/python/register_ptr_to_python.hpp>
+
+using namespace boost::python;
+
+void set_insert(StringSet &s, const char* c) { s.insert(c); }
+
+void set_erase(StringSet &s, const char* c) { s.erase(c); }
+
+std::string set_to_string(const StringSet &s) {
+ std::stringstream ss;
+ ss << "StringSet([";
+ bool first = true;
+ for (StringSet::const_iterator i = s.begin(); i != s.end(); ++i) {
+ if (first)
+ first = false;
+ else
+ ss << ", ";
+ ss << "'" << *i << "'";
+ }
+ ss << "])";
+ return ss.str();
+}
+
+BOOST_PYTHON_MODULE(policyrep)
+{
+
+ //
+ // PolicyBase
+ //
+
+ class_<Node>("Node")
+ .def("get_parent", &Node::get_parent, \
return_value_policy<reference_existing_object>()) + .def("set_parent", \
&Node::set_parent)//, return_value_Policy<reference_existing_object>()) + \
.add_property("visited", &Node::get_visited, &Node::set_visited) + \
.def("__str__", &Node::to_string) + .def("to_string_end", \
&Node::to_string_end) + ;
+ register_ptr_to_python<NodePtr>();
+
+ class_<NodeVector>("NodeVector")
+ .def(vector_indexing_suite<NodeVector, true>())
+ ;
+
+ class_<Parent, bases<Node> >("Parent")
+ .def("append_child", &Parent::append_child)
+ .def("children", &Parent::children, \
return_value_policy<reference_existing_object>()) + ;
+
+ register_ptr_to_python<ParentPtr>();
+
+ //
+ // Policy
+ //
+
+ class_<Policy, bases<Parent> >("Policy")
+ .add_property("mls", &Policy::get_mls, &Policy::set_mls)
+ ;
+ register_ptr_to_python<PolicyPtr>();
+
+
+ class_<Module, bases<Parent> >("Module")
+ .add_property("name", &Module::get_name, &Module::set_name)
+ .add_property("version", &Module::get_version, &Module::set_version)
+ ;
+ register_ptr_to_python<ModulePtr>();
+
+ class_<StringSet>("StringSet")
+ .def("add", &set_insert)
+ .def("discard", &set_erase)
+ .def("__str__", &set_to_string)
+ .def("__repr__", &set_to_string)
+ .def("__iter__", range(&StringSet::begin, &StringSet::end))
+ ;
+
+ class_<Type, bases<Node> >("Type")
+ .add_property("name", &Type::get_name, &Type::set_name)
+ .add_property("aliases"
+ , make_function(
+ &Type::aliases, \
return_value_policy<reference_existing_object>() + ))
+ .add_property("attributes"
+ , make_function(
+ &Type::attributes, \
return_value_policy<reference_existing_object>() + ))
+ ;
+ register_ptr_to_python<TypePtr>();
+
+ class_<CommonPerms, bases<Node> >("CommonPerms")
+ .add_property("name", &CommonPerms::get_name, &CommonPerms::set_name)
+ .add_property("perms",
+ make_function(&CommonPerms::perms,
+ return_value_policy<reference_existing_object>()))
+ ;
+ register_ptr_to_python<CommonPermsPtr>();
+
+ class_<ObjectClass, bases<Node> >("ObjectClass")
+ .add_property("name", &ObjectClass::get_name, &ObjectClass::set_name)
+ .add_property("common_perms", &ObjectClass::get_common_perms, \
&ObjectClass::set_common_perms) + .add_property("perms",
+ make_function(&ObjectClass::perms,
+ return_value_policy<reference_existing_object>()))
+ ;
+ register_ptr_to_python<ObjectClassPtr>();
+
+ class_<InitialSid, bases<Node> >("InitialSid")
+ .add_property("name", &InitialSid::get_name, &InitialSid::set_name)
+ ;
+ register_ptr_to_python<InitialSidPtr>();
+
+ class_<Attribute, bases<Node> >("Attribute")
+ .add_property("name", &Attribute::get_name, &Attribute::set_name)
+ ;
+ register_ptr_to_python<AttributePtr>();
+
+ //
+ // Parse
+ //
+
+ class_<Parser>("Parser")
+ .def("parse", make_function(&Parser::parse,
+ return_value_policy<manage_new_object>()))
+ ;
+}
diff -r 570732c1a819 -r d060fb6e9bd1 libpolicyrep/tests/Makefile
--- a/libpolicyrep/tests/Makefile Wed Jun 20 12:46:57 2007 -0400
+++ b/libpolicyrep/tests/Makefile Mon Jun 25 14:25:13 2007 -0400
@@ -0,0 +1,24 @@
+M4 ?= m4
+MKDIR ?= mkdir
+EXE ?= libpolicyrep-test
+
+CFLAGS += -g3 -gdwarf-2 -o0 -Wall -W -Wundef -Wmissing-noreturn \
-Wmissing-format-attribute -Wno-unused-parameter -Werror -I../include +
+LIBPOLICYREP := ../src/libpolicyrep.a
+
+# test program object files
+objs := $(patsubst %.cpp,%.o,$(wildcard *.cpp))
+
+all: $(EXE)
+
+$(EXE): $(objs) $(LIBPOLICYREP)
+ g++ $(CFLAGS) $(objs) $(LIBPOLICYREP) -lboost_serialization -o $@
+
+%.o: %.cpp
+ g++ $(CFLAGS) -fPIC -c -o $@ $<
+
+clean:
+ rm -f $(objs) $(EXE)
+
+test: $(EXE)
+ ./$(EXE)
diff -r 570732c1a819 -r d060fb6e9bd1 libpolicyrep/tests/libpolicyrep-test.cpp
--- a/libpolicyrep/tests/libpolicyrep-test.cpp Wed Jun 20 12:46:57 2007 -0400
+++ b/libpolicyrep/tests/libpolicyrep-test.cpp Mon Jun 25 14:25:13 2007 -0400
@@ -0,0 +1,59 @@
+/*
+ * Author : Karl MacMillan <kmacmillan@mentalrootkit.com>
+ *
+ * Copyright (C) 2007 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include <policyrep/policy.hpp>
+#include <policyrep/parse.hpp>
+
+#include <sstream>
+#include <iostream>
+
+using namespace policyrep;
+
+int main(int argc, char **argv)
+{
+ PolicyPtr pol(new Policy());
+ ModulePtr mod(new Module("foo", "1.0"));
+ pol->append_child(mod);
+ TypePtr t(new Type("foo"));
+ t->aliases().insert("bar");
+ t->aliases().insert("baz");
+ t->aliases().insert("bar"); // duplicate - will be ingored
+ t->attributes().insert("domain");
+ t->attributes().insert("userdomain");
+
+ mod->append_child(t);
+
+ std::cout << "============ basic test ============" << std::endl;
+ output_tree(std::cout, *pol);
+
+ std::stringstream s;
+ output_tree(s, *pol);
+ std::cout << s.str() << std::endl;
+
+ std::cout << "============ Parsing ============" << std::endl;
+ Parser p;
+ //p.trace_parsing = true;
+ //p.trace_scanning = true;
+
+ ModulePtr parsed_mod(p.parse("foo.te"));
+ output_tree(std::cout, *parsed_mod);
+
+ return 0;
+}
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic