checkpolicy: Allow filesystem names to start with a digit

The patch below allows filesystem names in fs_use_* and genfscon statements to start with a digit, but still requires at least one character to be a letter. A new token type for filesystem names is created since these names having nothing to do with SELinux. This patch is needed because some filesystem names (such as 9p) start with a digit. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2025-02-15 00:37:32 +00:00 · 2011-01-12 16:29:02 -05:00 · 2011-01-12 16:29:02 -05:00 · 17ac87ce83
commit 17ac87ce83
parent b42e15ffd5
2 changed files with 11 additions and 4 deletions
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@ -139,6 +139,7 @@ typedef int (* require_func_t)();
 %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
 %token POLICYCAP
 %token PERMISSIVE
+%token FILESYSTEM

 %left OR
 %left XOR
@ -646,7 +647,7 @@ opt_fs_uses             : fs_uses
 fs_uses                 : fs_use_def
                        | fs_uses fs_use_def
                        ;
-fs_use_def              : FSUSEXATTR identifier security_context_def ';'
+fs_use_def              : FSUSEXATTR filesystem security_context_def ';'
                        {if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;}
                        | FSUSETASK identifier security_context_def ';'
                        {if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;}
@ -659,11 +660,11 @@ opt_genfs_contexts      : genfs_contexts
 genfs_contexts          : genfs_context_def
                        | genfs_contexts genfs_context_def
                        ;
-genfs_context_def	: GENFSCON identifier path '-' identifier security_context_def
+genfs_context_def	: GENFSCON filesystem path '-' identifier security_context_def
 			{if (define_genfs_context(1)) return -1;}
-			| GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
+			| GENFSCON filesystem path '-' '-' {insert_id("-", 0);} security_context_def
 			{if (define_genfs_context(1)) return -1;}
-                        | GENFSCON identifier path security_context_def
+                        | GENFSCON filesystem path security_context_def
 			{if (define_genfs_context(0)) return -1;}
 			;
 ipv4_addr_def		: IPV4_ADDR
@ -737,6 +738,11 @@ nested_id_element       : identifier | '-' { if (insert_id("-", 0)) return -1; }
 identifier		: IDENTIFIER
 			{ if (insert_id(yytext,0)) return -1; }
 			;
+filesystem		: FILESYSTEM
+                        { if (insert_id(yytext,0)) return -1; }
+                        | IDENTIFIER
+			{ if (insert_id(yytext,0)) return -1; }
+                        ;
 path     		: PATH
 			{ if (insert_id(yytext,0)) return -1; }
 			;
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@ -218,6 +218,7 @@ PERMISSIVE			{ return(PERMISSIVE); }
 "/"({alnum}|[_\.\-/])*	        { return(PATH); }
 \"({alnum}|[_\.\-])+\"			{ return(FILENAME); }
 {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
+{alnum}*{letter}{alnum}*        { return(FILESYSTEM); }
 {digit}+|0x{hexval}+            { return(NUMBER); }
 {digit}{1,3}(\.{digit}{1,3}){3}    { return(IPV4_ADDR); }
 {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*  { return(IPV6_ADDR); }