From 7556867f43f62f825e8ad8b6b36c762977c58d3d Mon Sep 17 00:00:00 2001 From: Ange Date: Mon, 24 Jul 2023 13:05:31 +0200 Subject: [PATCH] encoding, conditionals, conventions... --- security/selinux_policy_binary.ksy | 807 ++++++++++++++-------------- security/selinux_policy_package.ksy | 4 +- 2 files changed, 404 insertions(+), 407 deletions(-) diff --git a/security/selinux_policy_binary.ksy b/security/selinux_policy_binary.ksy index ec1bfeee5..3a1251dca 100644 --- a/security/selinux_policy_binary.ksy +++ b/security/selinux_policy_binary.ksy @@ -16,20 +16,119 @@ doc-ref: - https://github.com/SELinuxProject/selinux/blob/820f019ed9e3b9a9e3e62ae378f99282990976a2/libsepol/src/policydb.c - https://github.com/SELinuxProject/selinux/blob/820f019ed9e3b9a9e3e62ae378f99282990976a2/libsepol/src/write.c seq: - - id: header - type: header + - id: magic + type: u4 + enum: magics + valid: + any-of: + - magics::kernel + - magics::module + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L4225 policydb_read + - id: len_policydb + -orig-id: len + type: u4 + valid: + min: 1 + min: 32 + - id: policydb + -orig-id: policydb_str + type: str + size: len_policydb + valid: + expr: '(magic == magics::kernel and (_ == "SE Linux" or _ == "XenFlask")) or (magic == magics::module and _ == "SE Linux Module")' + - id: policy_type + type: u4 + enum: policy_types + if: 'magic == magics::module' + - id: policy_version + -orig-id: policyvers + type: u4 + valid: + min: 'magic == magics::kernel ? 15 : 4' + max: 'magic == magics::kernel ? 33 : 21' + - id: config + -orig-id: config + type: u4 + - id: num_symbols + -orig-id: sym_num + type: u4 + valid: + min: 5 + - id: object_contexts_count + -orig-id: ocon_num + type: u4 + valid: + min: 0 + max: 9 + - id: module_header + type: module_header + if: 'magic == magics::module' + - id: policy_capabilities + -orig-id: policycaps + type: extensible_bitmap + if: '(_root.type_ == policy_types::kernel and policy_version >= 22) or (policy_version >= 7)' + - id: permissive_map + type: extensible_bitmap + if: '(_root.type_ == policy_types::kernel and policy_version >= 23)' + - id: symbols + type: symbols + - id: access_vector_table + type: access_vector_table + if: '(_root.type_ == policy_types::kernel)' + - id: conditional_list + type: conditional_list + if: '_root.type_ == policy_types::kernel and policy_version >= 16' + - id: role_trans + type: role_trans + if: '_root.type_ == policy_types::kernel' + - id: role_allow + type: role_allow + if: '_root.type_ == policy_types::kernel' + - id: filename_trans + type: filename_trans + if: '_root.type_ == policy_types::kernel and policy_version >= 25' + - id: avrule_block + type: avrule_block + if: '_root.type_ != policy_types::kernel' + - id: scope_list + type: scope_list + repeat: expr + repeat-expr: _root.num_symbols + if: '_root.type_ != policy_types::kernel' + - id: ocontext_selinux + type: ocontext_selinux + if: '_root.target == targets::selinux' + - id: ocontext_xen + type: ocontext_xen + if: '_root.target == targets::xen' + - id: genfs + type: genfs + - id: range + type: range + if: '(_root.type_ == policy_types::kernel and policy_version >= 19) or (_root.type_ == policy_types::base and policy_version == 5)' + - id: type_attr_map + type: extensible_bitmap + repeat: expr + repeat-expr: symbols.types.num_primary_names + if: '_root.type_ == policy_types::kernel' instances: boundary_feature: # policydb_has_boundary_feature - value: '(_root.type == policy_types::kernel and _root.version >= 24) or (_root.type != policy_types::kernel and _root.version >= 9)' + value: | + (_root.type_ == policy_types::kernel and _root.version >= 24) or + (_root.type_ != policy_types::kernel and _root.version >= 9) version: - value: 'header.policyvers' - type: - value: 'header.magic == magics::kernel ? policy_types::kernel : (header.policy_type == policy_types::module ? policy_types::module : policy_types::base)' + value: '_root.policy_version' + type_: + value: | + _root.magic == magics::kernel ? policy_types::kernel : + (_root.policy_type == policy_types::module ? policy_types::module : policy_types::base) target: - value: 'header.magic == magics::kernel and header.policydb_str == "XenFlask" ? targets::xen : targets::selinux' + value: | + _root.magic == magics::kernel and _root.policydb == "XenFlask" ? + targets::xen : targets::selinux mls: - value: 'header.config & 1' + value: '_root.config & 1' enums: magics: @@ -51,119 +150,24 @@ enums: types: - header: - doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L4225 policydb_read - seq: - - id: magic - type: u4 - enum: magics - valid: - any-of: - - magics::kernel - - magics::module - - id: policydb_str_len - -orig-id: len - type: u4 - - id: policydb_str - type: str - encoding: ascii - size: policydb_str_len - valid: - expr: '(magic == magics::kernel and (_ == "SE Linux" or _ == "XenFlask")) or (magic == magics::module and _ == "SE Linux Module")' - - id: policy_type - type: u4 - enum: policy_types - if: 'magic == magics::module' - - id: policyvers - type: u4 - valid: - expr: '(magic == magics::kernel and 15 <= _ and _ <= 33) or (magic != magics::kernel and 4 <= _ and _ <= 21)' - - id: config - -orig-id: config - type: u4 - - id: symbols_count - -orig-id: sym_num - type: u4 - valid: - min: 5 - - id: object_contexts_count - -orig-id: ocon_num - type: u4 - valid: - min: 0 - max: 9 - - id: module_header - type: module_header - if: 'magic == magics::module' - - id: policycaps - type: extensible_bitmap - if: '(_root.type == policy_types::kernel and policyvers >= 22) or (policyvers >= 7)' - - id: permissive_map - type: extensible_bitmap - if: '(_root.type == policy_types::kernel and policyvers >= 23)' - - id: symbols - type: symbols - - id: access_vector_table - type: access_vector_table - if: '(_root.type == policy_types::kernel)' - - id: conditional_list - type: conditional_list - if: '_root.type == policy_types::kernel and policyvers >= 16' - - id: role_trans - type: role_trans - if: '_root.type == policy_types::kernel' - - id: role_allow - type: role_allow - if: '_root.type == policy_types::kernel' - - id: filename_trans - type: filename_trans - if: '_root.type == policy_types::kernel and policyvers >= 25' - - id: avrule_block - type: avrule_block - if: '_root.type != policy_types::kernel' - - id: scope_list - type: scope_list - repeat: expr - repeat-expr: _root.header.symbols_count - if: '_root.type != policy_types::kernel' - - id: ocontext_selinux - type: ocontext_selinux - if: '_root.target == targets::selinux' - - id: ocontext_xen - type: ocontext_xen - if: '_root.target == targets::xen' - - id: genfs - type: genfs - - id: range - type: range - if: '(_root.type == policy_types::kernel and policyvers >= 19) or (_root.type == policy_types::base and policyvers == 5)' - - id: type_attr_map - type: extensible_bitmap - repeat: expr - repeat-expr: symbols.types.primary_names_count - if: '_root.type == policy_types::kernel' - - module_header: seq: - - id: name_len + - id: len_name -orig-id: len type: u4 valid: min: 1 - id: name type: str - encoding: ascii - size: name_len - - id: version_length + size: len_name + - id: len_version -orig-id: len # again type: u4 valid: min: 1 - id: version type: str - encoding: ascii - size: version_length + size: len_version extensible_bitmap: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/ebitmap.c#L539 ebitmap_read @@ -174,15 +178,15 @@ types: - id: highbit type: u4 valid: - expr: 'highbit & 0x3F == 0' - - id: count + expr: '_ & 0x3F == 0' + - id: num_nodes type: u4 valid: - expr: 'not ((highbit > 0) and (_ == 0))' - - id: node + expr: 'not ((highbit != 0) and (_ == 0))' + - id: nodes type: ebitmap_node repeat: expr - repeat-expr: count + repeat-expr: num_nodes ebitmap_node: seq: @@ -200,7 +204,7 @@ types: - id: roles type: roles - id: types - type: types + type: types_ - id: users type: users # 5 symbols: all of them @@ -208,244 +212,241 @@ types: -orig-id: bools type: bools # 6 symbols: mod or base or kern[16-18] - if: '_root.header.symbols_count >= 6' + if: '_root.num_symbols >= 6' - id: security_levels -orig-id: levels type: levels - if: '_root.header.symbols_count >= 7' + if: '_root.num_symbols >= 7' - id: categories -orig-id: cats type: cats # 8 symbols: mod or base or kern[19-] - if: '_root.header.symbols_count >= 8' + if: '_root.num_symbols >= 8' commons: seq: - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: common + - id: commons type: common repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements classes: seq: - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: class + - id: classes type: class repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements roles: seq: - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: role + - id: roles type: role repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements - types: + types_: seq: - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: type - type: type + - id: types + type: type_ repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements users: seq: - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: user + - id: users type: user repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements bools: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/conditional.c#L567 cond_read_bool seq: - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: bool + - id: bools type: bool repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements levels: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3414 sens_read seq: - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: level + - id: levels type: level repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements cats: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3460 cat_read seq: - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: cat + - id: cats type: cat repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements common: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2093 common_read seq: - - id: length + - id: len_key -orig-id: len type: u4 valid: min: 1 - id: value type: u4 - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 valid: max: 32 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - id: key type: str - encoding: ascii - size: length - - id: permission + size: len_key + - id: permissions type: permission repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements permission: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2057 perm_read seq: - - id: length + - id: len_key -orig-id: len type: u4 + valid: + min: 1 - id: value type: u4 - id: key type: str - encoding: ASCII - size: length + size: len_key class: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2241 class_read seq: - - id: key_length + - id: len_key -orig-id: len type: u4 valid: min: 1 - - id: common_key_length + - id: len_common_key # can be null -orig-id: len2 type: u4 - id: value type: u4 - - id: primary_names_count + - id: num_primary_names -orig-id: perm_nprim type: u4 valid: max: 32 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: constraints_count + - id: num_constraints -orig-id: ncons type: u4 - id: key type: str - encoding: ASCII - size: key_length + size: len_key - id: common_key + -orig-id: comkey type: str - encoding: ASCII - size: common_key_length - if: common_key_length > 0 - - id: permission + size: len_common_key + if: len_common_key > 0 + - id: permissions type: permission repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements - id: constraints - -orig-id: constraints type: constraint repeat: expr - repeat-expr: constraints_count + repeat-expr: num_constraints - - id: validatetrans_count + - id: num_validatetrans -orig-id: ncons # yes, same name type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::base and _root.version >= 5)' - - id: validatetrans + if: '(_root.type_ == policy_types::kernel and _root.version >= 19) or (_root.type_ == policy_types::base and _root.version >= 5)' + - id: validate_trans -orig-id: validatetrans type: constraint repeat: expr - repeat-expr: validatetrans_count - if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::base and _root.version >= 5)' + repeat-expr: num_validatetrans + if: '(_root.type_ == policy_types::kernel and _root.version >= 19) or (_root.type_ == policy_types::base and _root.version >= 5)' - id: default_user type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 27) or (_root.type == policy_types::base and _root.version >= 15)' + if: '(_root.type_ == policy_types::kernel and _root.version >= 27) or (_root.type_ == policy_types::base and _root.version >= 15)' - id: default_role type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 27) or (_root.type == policy_types::base and _root.version >= 15)' + if: '(_root.type_ == policy_types::kernel and _root.version >= 27) or (_root.type_ == policy_types::base and _root.version >= 15)' - id: default_range type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 27) or (_root.type == policy_types::base and _root.version >= 15)' + if: '(_root.type_ == policy_types::kernel and _root.version >= 27) or (_root.type_ == policy_types::base and _root.version >= 15)' - id: default_type type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 28) or (_root.type == policy_types::base and _root.version >= 16)' + if: '(_root.type_ == policy_types::kernel and _root.version >= 28) or (_root.type_ == policy_types::base and _root.version >= 16)' constraint: # read_cons_helper seq: - id: permissions type: u4 - - id: expressions_count + - id: num_expressions -orig-id: nexpr type: u4 - - id: expression + - id: expressions type: expression repeat: expr - repeat-expr: expressions_count - if: expressions_count > 0 + repeat-expr: num_expressions expression: seq: @@ -463,7 +464,7 @@ types: if: 'type == expression_types::names' - id: type_names type: type_set - if: 'type == expression_types::names and ((_root.type == policy_types::kernel and _root.version >= 29) or (_root.type != policy_types::kernel))' + if: 'type == expression_types::names and ((_root.type_ == policy_types::kernel and _root.version >= 29) or (_root.type_ != policy_types::kernel))' mls_range: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L1850 mls_read_range_helper @@ -496,14 +497,16 @@ types: type: u4 - id: mls_range type: mls_range - if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::base and _root.version >= 5)' + if: '(_root.type_ == policy_types::kernel and _root.version >= 19) or (_root.type_ == policy_types::base and _root.version >= 5)' role: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2352 role_read seq: - - id: length + - id: len_key -orig-id: len type: u4 + valid: + min: 1 - id: value type: u4 - id: bounds @@ -511,37 +514,38 @@ types: if: '_root.boundary_feature' - id: key type: str - encoding: ascii - size: length + size: len_key - id: dominates type: extensible_bitmap - id: types_eb type: extensible_bitmap - if: _root.type == policy_types::kernel + if: _root.type_ == policy_types::kernel - id: types_ts type: type_set - if: not (_root.type == policy_types::kernel) + if: not (_root.type_ == policy_types::kernel) - id: flavor type: u4 - if: '(_root.type != policy_types::kernel and _root.version >= 13)' + if: '(_root.type_ != policy_types::kernel and _root.version >= 13)' - id: roles type: extensible_bitmap - if: '(_root.type != policy_types::kernel and _root.version >= 13)' + if: '(_root.type_ != policy_types::kernel and _root.version >= 13)' - type: + type_: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#2431 type_read seq: # 3: kern <= 23 # 4: kern >= 24 or !kern <= 7 or !kern == 9 # 5: !kern == 8 or !kern >= 10 - - id: length + - id: len_key -orig-id: len type: u4 + valid: + min: 1 - id: value type: u4 - id: primary type: u4 - if: '(_root.boundary_feature and (_root.type != policy_types::kernel and _root.version >= 10)) or not _root.boundary_feature' + if: '(_root.boundary_feature and (_root.type_ != policy_types::kernel and _root.version >= 10)) or not _root.boundary_feature' - id: properties type: u4 if: '_root.boundary_feature' @@ -550,17 +554,16 @@ types: if: '_root.boundary_feature' - id: flavor type: u4 - if: 'not _root.boundary_feature and (_root.type != policy_types::kernel)' + if: 'not _root.boundary_feature and (_root.type_ != policy_types::kernel)' - id: flags type: u4 - if: 'not _root.boundary_feature and (_root.type != policy_types::kernel and _root.version >= 8)' + if: 'not _root.boundary_feature and (_root.type_ != policy_types::kernel and _root.version >= 8)' - id: types type: extensible_bitmap - if: '_root.type != policy_types::kernel' + if: '_root.type_ != policy_types::kernel' - id: key type: str - encoding: ASCII - size: length + size: len_key type_set: seq: @@ -574,9 +577,11 @@ types: user: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3327 user_read seq: - - id: length + - id: len_key -orig-id: len type: u4 + valid: + min: 1 - id: value type: u4 - id: bounds @@ -584,26 +589,25 @@ types: if: _root.boundary_feature - id: key type: str - encoding: ASCII - size: length + size: len_key - id: roles_eb type: extensible_bitmap - if: '_root.type == policy_types::kernel' + if: '_root.type_ == policy_types::kernel' - id: roles_rs type: role_set - if: '_root.type != policy_types::kernel' + if: '_root.type_ != policy_types::kernel' - id: exp_range type: mls_range - if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::module and _root.version >= 5 and _root.version < 6) or (_root.type == policy_types::base and _root.version >= 5 and _root.version < 6)' + if: '(_root.type_ == policy_types::kernel and _root.version >= 19) or (_root.type_ == policy_types::module and _root.version >= 5 and _root.version < 6) or (_root.type_ == policy_types::base and _root.version >= 5 and _root.version < 6)' - id: exp_dftlevel type: mls_level - if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::module and _root.version >= 5 and _root.version < 6) or (_root.type == policy_types::base and _root.version >= 5 and _root.version < 6)' + if: '(_root.type_ == policy_types::kernel and _root.version >= 19) or (_root.type_ == policy_types::module and _root.version >= 5 and _root.version < 6) or (_root.type_ == policy_types::base and _root.version >= 5 and _root.version < 6)' - id: range type: mls_semantic_range - if: '(_root.type == policy_types::module or _root.type == policy_types::base) and (_root.version >= 6)' + if: '(_root.type_ == policy_types::module or _root.type_ == policy_types::base) and (_root.version >= 6)' - id: dfltlevel type: mls_semantic_range - if: '(_root.type == policy_types::module or _root.type == policy_types::base) and (_root.version >= 6)' + if: '(_root.type_ == policy_types::module or _root.type_ == policy_types::base) and (_root.version >= 6)' role_set: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L1813 role_set_read @@ -637,14 +641,14 @@ types: - id: sensitivity -orig-id: sens type: u4 - - id: count + - id: num_categories -orig-id: ncat type: u4 - - id: category + - id: categories -orig-id: cat type: semantic_category repeat: expr - repeat-expr: count + repeat-expr: num_categories semantic_category: seq: @@ -654,28 +658,29 @@ types: type: u4 bool: - doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L567 cond_read_bool + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/cond_read_bool.c#L567 cond_read_bool seq: - id: value type: u4 - id: state type: u4 - - id: length + - id: len_key -orig-id: len type: u4 + valid: + min: 1 - id: key type: str - size: length - encoding: ascii + size: len_key - id: flags type: u4 - if: '(_root.type != policy_types::kernel and _root.version >= 14)' + if: '(_root.type_ != policy_types::kernel and _root.version >= 14)' level: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3414 sens_read seq: - - id: length + - id: len_key -orig-id: len type: u4 valid: @@ -684,15 +689,14 @@ types: type: u4 - id: key type: str - encoding: ascii - size: length + size: len_key - id: level type: mls_level cat: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3460 cat_read seq: - - id: length + - id: len_key -orig-id: len type: u4 valid: @@ -703,25 +707,24 @@ types: type: u4 - id: key type: str - encoding: ascii - size: length + size: len_key access_vector_table: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/avtab.c#L591 avtab_read seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: access_vector_old + - id: access_vectors_old type: access_vector_old repeat: expr - repeat-expr: elements_count - if: elements_count > 0 and _root.version < 20 - - id: access_vector + repeat-expr: num_elements + if: _root.version < 20 + - id: access_vectors type: access_vector repeat: expr - repeat-expr: elements_count - if: elements_count > 0 and _root.version >= 20 + repeat-expr: num_elements + if: _root.version >= 20 access_vector_old: @@ -742,7 +745,7 @@ types: - id: value -orig-id: val type: u4 - - id: data + - id: datas type: u4 repeat: expr repeat-expr: 8 @@ -776,13 +779,13 @@ types: conditional_list: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/conditional.c#L821 cond_read_list seq: - - id: length + - id: num_nodes -orig-id: len type: u4 - - id: conditional_node + - id: conditional_nodes type: conditional_node repeat: expr - repeat-expr: length + repeat-expr: num_nodes conditional_node: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/conditional.c#L747 cond_read_node @@ -790,28 +793,28 @@ types: - id: current_state -orig-id: cur_state type: u4 - - id: length + - id: num_items -orig-id: len type: u4 - - id: conditional_node_item + - id: conditional_node_items type: conditional_node_item repeat: expr - repeat-expr: length + repeat-expr: num_items - id: true_list type: cond_av_list - if: _root.type == policy_types::kernel + if: _root.type_ == policy_types::kernel - id: false_list type: cond_av_list - if: _root.type == policy_types::kernel + if: _root.type_ == policy_types::kernel - id: avtrue_list type: avrule_list - if: _root.type != policy_types::kernel + if: _root.type_ != policy_types::kernel - id: avfalse_list type: avrule_list - if: _root.type != policy_types::kernel + if: _root.type_ != policy_types::kernel - id: flags type: u4 - if: '_root.type != policy_types::kernel and _root.version >= 14' + if: '_root.type_ != policy_types::kernel and _root.version >= 14' conditional_node_item: seq: @@ -823,31 +826,30 @@ types: cond_av_list: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/conditional.c#L696 cond_read_av_list seq: - - id: length + - id: num_vectors -orig-id: len type: u4 - - id: access_vector_old + - id: access_vectors_old type: access_vector_old repeat: expr - repeat-expr: length - if: length > 0 and _root.version < 20 - - id: access_vector + repeat-expr: num_vectors + if: _root.version < 20 + - id: access_vectors type: access_vector repeat: expr - repeat-expr: length - if: length > 0 and _root.version >= 20 + repeat-expr: num_vectors + if: _root.version >= 20 avrule_list: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3716 avrule_read_list seq: - - id: length + - id: num_rules -orig-id: len type: u4 - - id: avrule + - id: avrules type: avrule repeat: expr - repeat-expr: length - if: length > 0 + repeat-expr: num_rules avrule: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3510 avrule_read @@ -860,14 +862,13 @@ types: type: type_set - id: ttypes type: type_set - - id: length + - id: num_items -orig-id: len type: u4 - - id: avrule_item + - id: avrule_items type: avrule_item repeat: expr - repeat-expr: length - if: length > 0 + repeat-expr: num_items - id: avrule_specified type: avrule_specified if: '(specified & (0x0100 | 0x0200 | 0x0400 | 0x0800)) != 0' @@ -886,24 +887,24 @@ types: type: u1 - id: xperms_driver type: u1 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - id: perms type: u4 repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements role_trans: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3716 role_trans_read seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: role_trans_item + - id: role_trans_items type: role_trans_item repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements role_trans_item: seq: @@ -915,18 +916,18 @@ types: type: u4 - id: tclass type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 26)' + if: '(_root.type_ == policy_types::kernel and _root.version >= 26)' role_allow: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2567 role_allow_read seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: role_allow_item + - id: role_allow_items type: role_allow_item repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements role_allow_item: seq: @@ -938,30 +939,31 @@ types: filename_trans: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2845 filename_trans_read seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: item_32 + - id: items_32 type: filename_trans_item_old repeat: expr - repeat-expr: elements_count - if: '(elements_count > 0) and (_root.version < 33)' - - id: item_33 + repeat-expr: num_elements + if: '_root.version < 33' + - id: items_33 type: filename_trans_item repeat: expr - repeat-expr: elements_count - if: '(elements_count > 0) and (_root.version >= 33)' + repeat-expr: num_elements + if: '_root.version >= 33' filename_trans_item_old: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2674 filename_trans_read_one_compat seq: - - id: length + - id: len_name -orig-id: len type: u4 + valid: + min: 1 - id: name type: str - encoding: ascii - size: length + size: len_name - id: stype type: u4 - id: ttype @@ -975,26 +977,27 @@ types: filename_trans_item: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2756 filename_trans_read_one seq: - - id: length + - id: len_name -orig-id: len type: u4 + valid: + min: 1 - id: name type: str - encoding: ascii - size: length + size: len_name - id: ttype type: u4 - id: tclass type: u4 - - id: count + - id: num_items -orig-id: ndatum type: u4 valid: min: 1 - - id: item + - id: items type: filename_trans_item_item repeat: expr - repeat-expr: count + repeat-expr: num_items filename_trans_item_item: seq: @@ -1006,13 +1009,12 @@ types: avrule_block: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L4030 avrule_block_read seq: - - id: count - -orig-id: num_blocks + - id: num_blocks type: u4 - - id: avrule_block_item + - id: avrule_block_items type: avrule_block_item repeat: expr - repeat-expr: count + repeat-expr: num_blocks avrule_block_item: seq: @@ -1022,7 +1024,6 @@ types: type: avrule_decl repeat: expr repeat-expr: num_decls - if: num_decls > 0 avrule_decl: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3980 avrule_decl_read @@ -1056,13 +1057,13 @@ types: role_trans_rule: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3749 role_trans_rule_read seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: item + - id: items type: role_trans_rule_item repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements role_trans_rule_item: seq: @@ -1079,13 +1080,13 @@ types: role_allow_rule: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3801 role_allow_rule_read seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: role_allow_rule_item + - id: role_allow_rule_items type: common repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements role_allow_rule_item: seq: @@ -1097,24 +1098,23 @@ types: filename_trans_rule: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3837 filename_trans_rule_read seq: - - id: count + - id: num_items type: u4 - - id: item + - id: items type: filename_trans_rule_item repeat: expr - repeat-expr: count + repeat-expr: num_items filename_trans_rule_item: seq: - - id: length + - id: len_name -orig-id: len type: u4 valid: min: 1 - id: name type: str - encoding: ascii - size: length + size: len_name - id: stypes type: type_set - id: ttypes @@ -1131,13 +1131,13 @@ types: range_trans_rule: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3903 range_trans_rule_read seq: - - id: count + - id: num_items -orig-id: nel type: u4 - - id: item + - id: items type: range_trans_rule_item repeat: expr - repeat-expr: count + repeat-expr: num_items range_trans_rule_item: seq: @@ -1153,92 +1153,92 @@ types: scope_index: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3945 scope_index_read seq: - - id: scope + - id: scopes type: extensible_bitmap repeat: expr - repeat-expr: _root.header.symbols_count - - id: class_perms_len + repeat-expr: _root.num_symbols + - id: num_maps type: u4 valid: min: 0 - - id: class_perms_map + - id: class_perms_maps type: extensible_bitmap repeat: expr - repeat-expr: class_perms_len + repeat-expr: num_maps scope_list: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: scope + - id: scopes type: scope repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements scope: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L4108 scope_read seq: - - id: length + - id: len_key -orig-id: len type: u4 valid: min: 1 - id: key type: str - encoding: ascii - size: length + size: len_key - id: scope type: u4 - - id: decl_ids_len + - id: num_ids + -orig-id: decl_ids_len type: u4 valid: min: 1 - - id: decl_id + - id: decl_ids type: u4 repeat: expr - repeat-expr: decl_ids_len + repeat-expr: num_ids ocontext_selinux: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2983 ocontext_read_selinux seq: - id: initial_sids type: initial_sids - if: '_root.header.object_contexts_count >= 1' + if: '_root.object_contexts_count >= 1' - id: filesystems type: filesystems - if: '_root.header.object_contexts_count >= 2' + if: '_root.object_contexts_count >= 2' - id: ports type: ports - if: '_root.header.object_contexts_count >= 3' + if: '_root.object_contexts_count >= 3' - id: network_interfaces type: filesystems # same - if: '_root.header.object_contexts_count >= 4' + if: '_root.object_contexts_count >= 4' - id: nodes type: nodes - if: '_root.header.object_contexts_count >= 5' + if: '_root.object_contexts_count >= 5' - id: fsuses type: fsuses - if: '_root.header.object_contexts_count >= 6' + if: '_root.object_contexts_count >= 6' - id: nodes6 type: nodes6 - if: '_root.header.object_contexts_count >= 7' + if: '_root.object_contexts_count >= 7' - id: ibpkeys type: ibpkeys - if: '_root.header.object_contexts_count >= 8' + if: '_root.object_contexts_count >= 8' - id: ibpendports type: ibpendports - if: '_root.header.object_contexts_count >= 9' + if: '_root.object_contexts_count >= 9' initial_sids: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: initial_sid + - id: initial_sids type: initial_sid repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements initial_sid: seq: @@ -1249,25 +1249,24 @@ types: filesystems: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: filesystem + - id: filesystems type: filesystem repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements filesystem: seq: - - id: length + - id: len_key -orig-id: len type: u4 valid: min: 1 - id: key type: str - encoding: ascii - size: length + size: len_key - id: context0 type: context - id: context1 @@ -1275,13 +1274,13 @@ types: ports: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: port + - id: ports type: port repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements port: seq: @@ -1296,13 +1295,13 @@ types: nodes: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: node + - id: nodes type: node repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements node: seq: @@ -1315,47 +1314,48 @@ types: fsuses: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: fsuse + - id: fsuses type: fsuse repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements fsuse: seq: - id: behavior type: u4 - - id: length + - id: len_name -orig-id: len type: u4 valid: min: 1 - id: name type: str - encoding: ascii - size: length + size: len_name - id: context type: context nodes6: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: node6 + - id: nodes6 type: node6 repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements node6: seq: - - id: addr + - id: addresses + -orig-id: addr type: u4 repeat: expr repeat-expr: 4 - - id: mask + - id: masks + -orig-id: mask type: u4 repeat: expr repeat-expr: 4 @@ -1364,13 +1364,13 @@ types: ibpkeys: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: ibpkey + - id: ibpkeys type: ibpkey repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements ibpkey: seq: @@ -1383,27 +1383,27 @@ types: ibpendports: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: ibpendport + - id: ibpendports type: ibpendport repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements ibpendport: seq: - - id: length + - id: len_name -orig-id: len type: u4 valid: min: 1 - id: port type: u4 - - id: dev_name + - id: name + -orig-id: dev_name type: str - encoding: ascii - size: length + size: len_name - id: context type: context @@ -1413,32 +1413,32 @@ types: seq: - id: xen_isids type: xen_isids - if: '_root.header.object_contexts_count >= 1' + if: '_root.object_contexts_count >= 1' - id: xen_pirqs type: xen_pirqs - if: '_root.header.object_contexts_count >= 2' + if: '_root.object_contexts_count >= 2' - id: xen_ioports type: xen_ioports - if: '_root.header.object_contexts_count >= 3' + if: '_root.object_contexts_count >= 3' - id: xen_iomems type: xen_iomems - if: '_root.header.object_contexts_count >= 4' + if: '_root.object_contexts_count >= 4' - id: xen_pcidevices type: xen_pcidevices - if: '_root.header.object_contexts_count >= 5' + if: '_root.object_contexts_count >= 5' - id: xen_devicetrees type: xen_devicetrees - if: '_root.header.object_contexts_count >= 6' + if: '_root.object_contexts_count >= 6' xen_isids: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: xen_isid + - id: xen_isids type: xen_isid repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements xen_isid: seq: @@ -1449,13 +1449,13 @@ types: xen_pirqs: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: xen_pirq + - id: xen_pirqs type: xen_pirq repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements xen_pirq: seq: @@ -1466,13 +1466,13 @@ types: xen_ioports: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: xen_ioport + - id: xen_ioports type: xen_ioport repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements xen_ioport: seq: @@ -1485,13 +1485,13 @@ types: xen_iomems: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: xen_iomem + - id: xen_iomems type: xen_iomem repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements xen_iomem: seq: @@ -1512,13 +1512,13 @@ types: xen_pcidevices: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: xen_pcidevice + - id: xen_pcidevices type: xen_pcidevice repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements xen_pcidevice: seq: @@ -1530,69 +1530,66 @@ types: xen_devicetrees: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: xen_devicetree + - id: xen_devicetrees type: xen_devicetree repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements xen_devicetree: seq: - - id: length + - id: len_name -orig-id: len type: u4 valid: min: 1 - id: name type: str - encoding: ascii - size: length + size: len_name - id: context0 type: context genfs: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3180 genfs_read seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - id: items type: genfs_item repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements genfs_item: seq: - - id: length + - id: len_fstype -orig-id: len type: u4 valid: min: 1 - id: fstype type: str - encoding: ascii - size: length - - id: elements_count + size: len_fstype + - id: num_elements -orig-id: nel2 type: u4 - id: items type: genfs2_item repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements genfs2_item: seq: - - id: length + - id: len_name -orig-id: len type: u4 valid: min: 1 - id: name type: str - encoding: ascii - size: length + size: len_name - id: sclass type: u4 - id: context0 @@ -1601,13 +1598,13 @@ types: range: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.#L3620 range_read seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - id: items type: range_item repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements range_item: seq: @@ -1617,6 +1614,6 @@ types: type: u4 - id: target_class type: u4 - if: '_root.type == policy_types::kernel and _root.version >= 21' + if: '_root.type_ == policy_types::kernel and _root.version >= 21' - id: range_tr type: mls_range diff --git a/security/selinux_policy_package.ksy b/security/selinux_policy_package.ksy index 68bf89b15..ae1deb42b 100644 --- a/security/selinux_policy_package.ksy +++ b/security/selinux_policy_package.ksy @@ -14,13 +14,13 @@ seq: contents: [0x8f, 0xff, 0x7c, 0xf9] - id: version # module_package_read_offsets type: u4 - - id: sections_count + - id: num_sections -orig-id: nsec type: u4 - id: section type: section repeat: expr - repeat-expr: sections_count + repeat-expr: num_sections types: section: