a hez6@sddlZddlZddlZddlZddlmZddlmZddlmZddlmZddlm Z dZ d d d d d ddddddddddddddddddd d!d"d#d$d%d&d'd(d)d*d+d,d-d.d/d0d1d2d3d4d5d6d7d8d9d:d;d5Z d?Z d@Z dAZdBZdCZdDZdEZdFZdGZdHZdIZdJZdKZdLZdMZdNZdOZdPZdQZdRdSZdTdUZ dVdWZ!dXdYZ"dZd[Z#d\d]Z$d^d_Z%d`daZ&dbdcZ'da(da)dda*da+dea,ddfdgZ-dhdiZ.djdkZ/dldmZ0dndoZ1dpdqZ2drdsZ3dtduZ4dvdwZ5dxdyZ6dzd{Z7d|d}Z8d~dZ9ddZ:ddZ;ddZddZ?ddZ@ddZAddZBddZCddZDddZEddZFddZGddZHddZIddZJddZKddZLddZMddZNddZOddZPddZQddZRddZSddZTddZUddZVddZWddZXddZYddZZddÄZ[ddńZ\ddDŽZ]ddɄZ^dd˄Z_dd̈́Z`ddτZaddфZbddӄZcddՄZdddׄZeddلZfddۄZgdd݄Zhdd߄ZiddZjddZkddZlddZmddZnddZoddZpdaqdarddZsdddZtddZudddZvdS)N)access)defaults)lex) refpolicy)yacc)JZTICKZSQUOTEZOBRACEZCBRACESEMICOLONZOPARENZCPARENCOMMAMINUSTILDEZASTERISKZAMPZBARZEXPLEQUALFILENAME IDENTIFIERNUMBERPATHZ IPV6_ADDRMODULE POLICY_MODULEREQUIRESIDGENFSCON FS_USE_XATTR FS_USE_TRANS FS_USE_TASKPORTCONNODECONNETIFCONPIRQCONIOMEMCON IOPORTCON PCIDEVICECON DEVICETREECONCLASS TYPEATTRIBUTE ROLEATTRIBUTETYPE ATTRIBUTEATTRIBUTE_ROLEALIAS TYPEALIASBOOLTRUEFALSEIFELSEROLETYPESALLOW DONTAUDIT AUDITALLOW NEVERALLOW PERMISSIVE TYPEBOUNDSTYPE_TRANSITION TYPE_CHANGE TYPE_MEMBERRANGE_TRANSITIONROLE_TRANSITION OPT_POLICY INTERFACETUNABLE_POLICYGEN_REQTEMPLATE GEN_CONTEXT GEN_TUNABLEIFELSEIFDEFIFNDEFDEFINErrrrrrrrrrrrrrr r!r"r#r$r%r&r'r(r)r*r+r,r-r.r/r0r1r2r3r4r5r6r7r8r9r:r;r<r=r>r?r@rArBrCrErDrF)5moduleZ policy_moduleZrequireZsidZgenfscon fs_use_xattr fs_use_trans fs_use_taskZportconZnodeconZnetifconZpirqconZiomemconZ ioportconZ pcideviceconZ devicetreeconclassZ typeattributeZ roleattributetypeZ attributeZattribute_rolealiasZ typealiasbooltrueZfalseifelseroletypesZallow dontaudit auditallow neverallowZ permissiveZ typeboundsZtype_transition type_change type_memberZrange_transitionZrole_transitionZoptional_policy interfaceZtunable_policyZ gen_requiretemplateZ gen_contextZ gen_tunableZifelseZifndefifdefZdefinez\`z\'z\{z\}z\;+z\:z\(z\)z\,z\-z\~z\*z\&z\|z\!z\=z[0-9\.]+z/[a-zA-Z0-9)_\.\*/\$]*z cCs|S)z2[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:([a-fA-F0-9]|:)*tr\r\6/usr/lib/python3.9/site-packages/sepolgen/refparser.py t_IPV6_ADDRsr`cCs|jjd7_dS)zdnl.*\nrNlexerlinenor]r\r\r_ t_m4commentsrdcCs|ddS)zdefine.*refpolicywarn\(.*\nrN)skipr]r\r\r_t_refpolicywarn1srfcCs|jjd7_dS)zrefpolicywarn\(.*\nrNrar]r\r\r_t_refpolicywarnsrgcCst|jd|_|S)z#[a-zA-Z_\$][a-zA-Z0-9_\-\+\.\$\*~]*rreservedgetvaluerLr]r\r\r_ t_IDENTIFIERsrlcCst|jd|_|S)z"\"[a-zA-Z0-9_\-\+\.\$\*~ :\[\]]+\"rrhr]r\r\r_ t_FILENAMEsrmcCs|jjd7_dS)z\#.*\nrNrar]r\r\r_ t_comment srncCs td|jd|ddS)NzIllegal character '%s'rr)printrkrer]r\r\r_t_errorsrpcCs|jjt|j7_dS)z\n+N)rbrclenrkr]r\r\r_ t_newlinesrrTcCsT|dur dS|D]>}|durq||_|dur@|jd||fq|jd|qdS)Nr)parentchildreninsert)Zstmtsrtvalsr\r\r_collect/srycCs4|D]*}t|r$|t|q||qdSN)sptZhas_keyupdateZby_nameadd)Zidsrxidr\r\r_expand;s rcCsNt|dkr&|dr&tj|dn$t|dkrJ|drJtj|ddS)z^statements : statement | statements statement | empty rN)rqmruappendpr\r\r_ p_statementsCsrcCs|d|d<dS)zstatement : interface | template | obj_perm_set | policy | policy_module_stmt | module_stmt rrNr\rr\r\r_ p_statementMsrcCsdS)zempty :Nr\rr\r\r_p_emptyWsrcCs.t}|d|_|d|_d|_||d<dS)zHpolicy_module_stmt : POLICY_MODULE OPAREN IDENTIFIER COMMA NUMBER CPARENTrNrZModuleDeclarationnameversionrrr\r\r_p_policy_module_stmtbs   rcCs(t|d}t|d|||d<dS)zainterface : INTERFACE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN rN)r Interfaceryrxr\r\r_ p_interfacejsrcCs(t|d}t|d|||d<dS)ztemplate : TEMPLATE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN | DEFINE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN rrrN)rZTemplateryrr\r\r_ p_templateqsrcCs d|d<dS)z4define : DEFINE OPAREN TICK IDENTIFIER SQUOTE CPARENNrr\rr\r\r_p_defineysrcCszt|dkr"|dr"|d|d<nTt|dkrv|dsL|drv|d|d<n*|dsb|d|d<n|d|d|d<dS)zlinterface_stmts : policy | interface_stmts policy | empty rrrNrqrr\r\r_p_interface_stmtss rcCsFt}t|d|ddt|dkr8t|d|dd|g|d<dS) zoptional_policy : OPT_POLICY OPAREN TICK interface_stmts SQUOTE CPAREN | OPT_POLICY OPAREN TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN rTrwrFrN)rZOptionalPolicyryrq)ror\r\r_p_optional_policys  rcCsPt}|d|_t|d|ddt|dkrBt|d|dd|g|d<d S) ztunable_policy : TUNABLE_POLICY OPAREN TICK cond_expr SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN | TUNABLE_POLICY OPAREN TICK cond_expr SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN rrTr FrN)rZ TunablePolicy cond_exprryrqrr\r\r_p_tunable_policys   rcCsdS)aifelse : IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi Nr\rr\r\r_p_ifelses rcCsbt|d}|ddkr d}nd}t|d||dt|dkrTt|d|dd|g|d <d S) aJifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi rrr[TFrrrrN)rZIfDefryrq)rrvr\r\r_p_ifdefs  rcCs8tj|dd}t|dkr,|j|d||d<dS)zinterface_call : IDENTIFIER OPAREN interface_call_param_list CPAREN | IDENTIFIER OPAREN CPAREN | IDENTIFIER OPAREN interface_call_param_list CPAREN SEMIr)ZifnamerrrN)rZ InterfaceCallrqargsextend)rir\r\r_p_interface_calls rcCs6t|dkr|d|d<n|dd|dg|d<dS)zinterface_call_param : IDENTIFIER | IDENTIFIER MINUS IDENTIFIER | nested_id_set | TRUE | FALSE | FILENAME rrr-rNrrr\r\r_p_interface_call_params rcCs6t|dkr|dg|d<n|d|dg|d<dS)zinterface_call_param_list : interface_call_param | interface_call_param_list COMMA interface_call_param rrrrNrrr\r\r_p_interface_call_param_lists rcCs$t|d}|d|_||d<dS)zRobj_perm_set : DEFINE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK names SQUOTE CPARENrrrN)rZ ObjPermSetpermsrrxr\r\r_p_obj_perm_sets rcCs|d|d<dS)zpolicy : policy_stmt | optional_policy | tunable_policy | ifdef | ifelse | conditional rrNr\rr\r\r_p_policysrcCs|dr|dg|d<dS)apolicy_stmt : gen_require | avrule_def | typerule_def | typebound_def | typeattribute_def | roleattribute_def | interface_call | role_def | role_allow | permissive | type_def | typealias_def | attribute_def | attribute_role_def | range_transition_def | role_transition_def | bool | gen_tunable | define | initial_sid | genfscon | fs_use | portcon | nodecon | netifcon | pirqcon | iomemcon | ioportcon | pcidevicecon | devicetreecon rrNr\rr\r\r_ p_policy_stmts rcCs.t}|d|_|d|_d|_||d<dS)z+module_stmt : MODULE IDENTIFIER NUMBER SEMIrrFrNrrr\r\r_ p_module_stmts   rcCsdS)zlgen_require : GEN_REQ OPAREN TICK requires SQUOTE CPAREN | REQUIRE OBRACE requires CBRACENr\rr\r\r_ p_gen_require$srcCsdS)zsrequires : require | requires require | ifdef | requires ifdef Nr\rr\r\r_ p_requires,srcCsdS)zrequire : TYPE comma_list SEMI | ROLE comma_list SEMI | ATTRIBUTE comma_list SEMI | ATTRIBUTE_ROLE comma_list SEMI | CLASS comma_list SEMI | BOOL comma_list SEMI Nr\rr\r\r_ p_require4srcCsHt}|d|_|d|_|d|_t|dkr<|d|_||d<dS)zsecurity_context : IDENTIFIER COLON IDENTIFIER COLON IDENTIFIER | IDENTIFIER COLON IDENTIFIER COLON IDENTIFIER COLON mls_range_defrrrrrN)rZSecurityContextuserrRrLrqlevelrr\r\r_p_security_context>s     rcCs|d}|d|_||d<dS)zQgen_context : GEN_CONTEXT OPAREN security_context COMMA mls_range_def CPAREN rrrN)rrr\r\r_ p_gen_contextKs rcCs|d|d<dS)z.oc srd|z.t|}|}||at|||Wn\tyd}zWYd}~dSd}~0ty}z td|t|fWYd}~n d}~00dS)Nzparsing file %s zerror parsing file %s: %s)openreadcloserrIOErrorrr)rrGr{fdZtxtr)r rr\r_rEs z!parse_headers..parse_filezParsing support macros (%s): can_exec) z$1z$2fileZexecute_no_transr-r.getattrlockZexecuteZioctlzdone. )ZstepszParsing interface filesrz!failed to parse some headers: %s z, )N)rsr*rZHeadersrrisfilesplitrrrr)rheadersrrurrZ AccessVectorrZConsoleProgressBarsysstdoutrqrrrrstepr)r!r,rr r*r8r"r#rr'Z all_modulesrr{r2avstatusZfailuresrrrr\)r rr,r_ parse_headers,s`              $    r>)N)NNF)NTF)wr9rrrrsrrrrrtokensriZt_TICKZt_SQUOTEZt_OBRACEZt_CBRACEZt_SEMIZt_COLONZt_OPARENZt_CPARENZt_COMMAZt_MINUSZt_TILDEZ t_ASTERISKZt_AMPZt_BARZt_EXPLZt_EQUALZt_NUMBERZt_PATHZt_ignorer`rdrfrgrlrmrnrprrrrrr{rryrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr r rbrrr)r>r\r\r\r_ sT     \E          #