From 3b71b9fe4640eb00a48c255baf4d6cfdbbe73828 Mon Sep 17 00:00:00 2001 From: Ange Date: Wed, 12 Jul 2023 19:15:48 +0200 Subject: [PATCH 1/5] SE Linux binary policy formats Modules, Kernel and package, all versions. --- security/selinux.ksy | 1605 ++++++++++++++++++++++++++++++++++++++++ security/selinuxpp.ksy | 42 ++ 2 files changed, 1647 insertions(+) create mode 100644 security/selinux.ksy create mode 100644 security/selinuxpp.ksy diff --git a/security/selinux.ksy b/security/selinux.ksy new file mode 100644 index 000000000..9305cf302 --- /dev/null +++ b/security/selinux.ksy @@ -0,0 +1,1605 @@ +meta: + id: selinux + title: SELinux file policy binary + license: CC0-1.0 + encoding: ASCII + file-extension: bin + endian: le +doc-ref: | + https://github.com/SELinuxProject/selinux/blob/master/libsepol/src/policydb.c + https://github.com/SELinuxProject/selinux/blob/master/libsepol/src/write.c +seq: + - id: header + type: header + +types: + header: # policydb_read + instances: + handle_unknown: + value: 'config & 6' + seq: + - id: magic + type: u4 + enum: magics + valid: + expr: '(magic == magics::kernel) or (magic == magics::module)' + - id: policydb_str_len + -orig-id: len + type: u4 + - id: policydb_str + type: str + encoding: ascii + size: policydb_str_len + valid: + expr: '(magic == magics::kernel and (_ == "SE Linux" or _ == "XenFlask")) or (magic == magics::module and _ == "SE Linux Module")' + - id: policy_type + type: u4 + enum: policy_types + if: 'magic == magics::module' + - id: policyvers + type: u4 + valid: + expr: '(magic == magics::kernel and 15 <= _ and _ <= 33) or (magic != magics::kernel and 4 <= _ and _ <= 21)' + - id: config + -orig-id: config + type: u4 + - id: symbols_count + -orig-id: sym_num + type: u4 + - id: object_contexts_count + -orig-id: ocon_num + type: u4 + valid: + min: 0 + max: 9 + - id: module_header + type: module_header + if: 'magic == magics::module' + - id: policycaps + type: extensible_bitmap + if: '(_root.type == policy_types::kernel and policyvers >= 22) or (policyvers >= 7)' + - id: permissive_map + type: extensible_bitmap + if: '(_root.type == policy_types::kernel and policyvers >= 23)' + - id: symbols + type: symbols + - id: access_vector_table + type: access_vector_table + if: '(_root.type == policy_types::kernel)' + - id: conditional_list + type: conditional_list + if: '_root.type == policy_types::kernel and policyvers >= 16' + - id: role_trans + type: role_trans + if: '_root.type == policy_types::kernel' + - id: role_allow + type: role_allow + if: '_root.type == policy_types::kernel' + - id: filename_trans + type: filename_trans + if: '_root.type == policy_types::kernel and policyvers >= 25' + - id: avrule_block + type: avrule_block + if: '_root.type != policy_types::kernel' + - id: scope_list + type: scope_list + repeat: expr + repeat-expr: _root.header.symbols_count + if: '_root.type != policy_types::kernel' + - id: ocontext_selinux + type: ocontext_selinux + if: '_root.target == targets::selinux' + - id: ocontext_xen + type: ocontext_xen + if: '_root.target == targets::xen' + - id: genfs + type: genfs + - id: range + type: range + if: '(_root.type == policy_types::kernel and policyvers >= 19) or (_root.type == policy_types::base and policyvers == 5)' + - id: type_attr_map + type: extensible_bitmap + repeat: expr + repeat-expr: symbols.types.primary_names_count + if: '_root.type == policy_types::kernel' + + + module_header: + seq: + - id: name_len + -orig-id: len + type: u4 + valid: + min: 1 + - id: name + type: str + encoding: ascii + size: name_len + - id: version_length + -orig-id: len # again + type: u4 + valid: + min: 1 + - id: version + type: str + encoding: ascii + size: version_length + + extensible_bitmap: # ebitmap_read + seq: + - id: mapsize + type: u4 + valid: 0x40 + - id: highbit + type: u4 + valid: + expr: 'not(highbit & 0x3F)' + - id: count + type: u4 + valid: + expr: 'not ((highbit > 0) and (_ == 0))' + - id: node + type: ebitmap_node + repeat: expr + repeat-expr: count + if: count > 0 + + ebitmap_node: + seq: + - id: startbit + type: u4 + - id: map + type: u8 + + symbols: + seq: + - id: commons + type: commons + - id: classes + type: classes + - id: roles + type: roles + - id: types + type: types + - id: users + type: users + # 5 symbols: all of them + - id: conditional_booleans + -orig-id: bools + type: bools + # 6 symbols: mod or base or kern[16-18] + if: '_root.header.symbols_count >= 6' + - id: security_levels + -orig-id: levels + type: levels + if: '_root.header.symbols_count >= 7' + - id: categories + -orig-id: cats + type: cats + # 8 symbols: mod or base or kern[19-] + if: '_root.header.symbols_count >= 8' + + commons: + seq: + - id: primary_names_count + -orig-id: nprim + type: u4 + - id: elements_count + -orig-id: nel + type: u4 + - id: common + type: common + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + classes: + seq: + - id: primary_names_count + -orig-id: nprim + type: u4 + - id: elements_count + -orig-id: nel + type: u4 + - id: class + type: class + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + roles: + seq: + - id: primary_names_count + -orig-id: nprim + type: u4 + - id: elements_count + -orig-id: nel + type: u4 + - id: role + type: role + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + types: + seq: + - id: primary_names_count + -orig-id: nprim + type: u4 + - id: elements_count + -orig-id: nel + type: u4 + - id: type + type: type + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + users: + seq: + - id: primary_names_count + -orig-id: nprim + type: u4 + - id: elements_count + -orig-id: nel + type: u4 + - id: user + type: user + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + bools: # cond_read_bools + seq: + - id: primary_names_count + -orig-id: nprim + type: u4 + - id: elements_count + -orig-id: nel + type: u4 + - id: bool + type: bool + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + levels: # sens_read + seq: + - id: primary_names_count + -orig-id: nprim + type: u4 + - id: elements_count + -orig-id: nel + type: u4 + - id: level + type: level + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + cats: # cat_read + seq: + - id: primary_names_count + -orig-id: nprim + type: u4 + - id: elements_count + -orig-id: nel + type: u4 + - id: cat + type: cat + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + common: # common_read + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: value + type: u4 + - id: primary_names_count + -orig-id: nprim + type: u4 + valid: + max: 32 + - id: elements_count + -orig-id: nel + type: u4 + - id: key + type: str + encoding: ascii + size: length + - id: permission + type: permission + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + permission: # perm_read + seq: + - id: length + -orig-id: len + type: u4 # validity not verified + - id: value + type: u4 + - id: key + type: str + encoding: ASCII + size: length + + class: # class_read + seq: + - id: key_length + -orig-id: len + type: u4 + valid: + min: 1 + - id: common_key_length + -orig-id: len2 + type: u4 + - id: value + type: u4 + - id: primary_names_count + -orig-id: perm_nprim + type: u4 + valid: + max: 32 + - id: elements_count + -orig-id: nel + type: u4 + - id: constraints_count + -orig-id: ncons + type: u4 + - id: key + type: str + encoding: ASCII + size: key_length + - id: common_key + type: str + encoding: ASCII + size: common_key_length + if: common_key_length > 0 + - id: permission + type: permission + repeat: expr + repeat-expr: elements_count + - id: constraints + -orig-id: constraints + type: constraint + repeat: expr + repeat-expr: constraints_count + + - id: validatetrans_count + -orig-id: ncons # yes, same name + type: u4 + if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::base and _root.version >= 5)' + - id: validatetrans + -orig-id: validatetrans + type: constraint + repeat: expr + repeat-expr: validatetrans_count + if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::base and _root.version >= 5)' + + - id: default_user + type: u4 + if: '(_root.type == policy_types::kernel and _root.version >= 27) or (_root.type == policy_types::base and _root.version >= 15)' + - id: default_role + type: u4 + if: '(_root.type == policy_types::kernel and _root.version >= 27) or (_root.type == policy_types::base and _root.version >= 15)' + - id: default_range + type: u4 + if: '(_root.type == policy_types::kernel and _root.version >= 27) or (_root.type == policy_types::base and _root.version >= 15)' + + - id: default_type + type: u4 + if: '(_root.type == policy_types::kernel and _root.version >= 28) or (_root.type == policy_types::base and _root.version >= 16)' + + constraint: # read_cons_helper + seq: + - id: permissions + type: u4 + - id: expressions_count + -orig-id: nexpr + type: u4 + - id: expression + type: expression + repeat: expr + repeat-expr: expressions_count + if: expressions_count > 0 + + expression: + seq: + - id: type + type: u4 + enum: expression_types + - id: attribute + -orig-id: attr + type: u4 + - id: operator + -orig-id: op + type: u4 + - id: names + type: extensible_bitmap + if: 'type == expression_types::names' + - id: type_names + type: type_set + if: 'type == expression_types::names and ((_root.type == policy_types::kernel and _root.version >= 29) or (_root.type != policy_types::kernel))' + + mls_range: # mls_read_range_helper + seq: + - id: items + type: u4 + - id: sensitivity0 + -orig-id: level[0].sens + type: u4 + - id: sensitivity1 + -orig-id: level[1].sens + type: u4 + if: items > 1 + - id: category0 + -orig-id: level[0].cat + type: extensible_bitmap + - id: category1 + -orig-id: level[1].cat + type: extensible_bitmap + if: items > 1 + + context: # context_read_and_validate + seq: + - id: user + type: u4 + - id: role + type: u4 + - id: type + type: u4 + - id: mls_range + type: mls_range + if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::base and _root.version >= 5)' + + role: # role_read + seq: + - id: length + -orig-id: len + type: u4 + - id: value + type: u4 + - id: bounds + type: u4 + if: '_root.boundary_feature' + - id: key + type: str + encoding: ascii + size: length + - id: dominates + type: extensible_bitmap + - id: types_eb + type: extensible_bitmap + if: _root.type == policy_types::kernel + - id: types_ts + type: type_set + if: not (_root.type == policy_types::kernel) + - id: flavor + type: u4 + if: '(_root.type != policy_types::kernel and _root.version >= 13)' + - id: roles + type: extensible_bitmap + if: '(_root.type != policy_types::kernel and _root.version >= 13)' + + type: # type_read + seq: + # 3: kern <= 23 + # 4: kern >= 24 or !kern <= 7 or !kern == 9 + # 5: !kern == 8 or !kern >= 10 + - id: length + -orig-id: len + type: u4 + - id: value + type: u4 + - id: primary + type: u4 + if: '(_root.boundary_feature and (_root.type != policy_types::kernel and _root.version >= 10)) or not _root.boundary_feature' + - id: properties + type: u4 + if: '_root.boundary_feature' + - id: bounds + type: u4 + if: '_root.boundary_feature' + - id: flavor + type: u4 + if: 'not _root.boundary_feature and (_root.type != policy_types::kernel)' + - id: flags + type: u4 + if: 'not _root.boundary_feature and (_root.type != policy_types::kernel and _root.version >= 8)' + - id: types + type: extensible_bitmap + if: '_root.type != policy_types::kernel' + - id: key + type: str + encoding: ASCII + size: length + + type_set: + seq: + - id: types + type: extensible_bitmap + - id: negset + type: extensible_bitmap + - id: flag + type: u4 + + user: # user_read + seq: + - id: length + -orig-id: len + type: u4 + - id: value + type: u4 + - id: bounds + type: u4 + if: _root.boundary_feature + - id: key + type: str + encoding: ASCII + size: length + - id: roles_eb + type: extensible_bitmap + if: '_root.type == policy_types::kernel' + - id: roles_rs + type: role_set + if: '_root.type != policy_types::kernel' + - id: exp_range + type: mls_range + if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::module and _root.version >= 5 and _root.version < 6) or (_root.type == policy_types::base and _root.version >= 5 and _root.version < 6)' + - id: exp_dftlevel + type: mls_level + if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::module and _root.version >= 5 and _root.version < 6) or (_root.type == policy_types::base and _root.version >= 5 and _root.version < 6)' + - id: range + type: mls_semantic_range + if: '(_root.type == policy_types::module or _root.type == policy_types::base) and (_root.version >= 6)' + - id: dfltlevel + type: mls_semantic_range + if: '(_root.type == policy_types::module or _root.type == policy_types::base) and (_root.version >= 6)' + + role_set: # role_set_read + seq: + - id: roles + type: extensible_bitmap + - id: flags + type: u4 + + mls_level: # mls_read_level + seq: + - id: sensitivity + -orig-id: sens + type: u4 + - id: category + -orig-id: cat + type: extensible_bitmap + + mls_semantic_range: # mls_read_semantic_range_helper + seq: + - id: level0 + type: mls_semantic_level + - id: level1 + type: mls_semantic_level + + mls_semantic_level: # mls_read_semantic_level_helper + seq: + - id: sensitivity + -orig-id: sens + type: u4 + - id: count + -orig-id: ncat + type: u4 + - id: category + -orig-id: cat + type: semantic_category + repeat: expr + repeat-expr: count + if: count > 0 + + semantic_category: + seq: + - id: low + type: u4 + - id: high + type: u4 + + bool: # cond_read_bool + seq: + - id: value + type: u4 + - id: state + type: u4 + - id: length + -orig-id: len + type: u4 + - id: key + type: str + size: length + encoding: ascii + - id: flags + type: u4 + if: '(_root.type != policy_types::kernel and _root.version >= 14)' + + + level: # sens_read + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: isalias + type: u4 + - id: key + type: str + encoding: ascii + size: length + - id: level + type: mls_level + + cat: # cat_read + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: value + type: u4 + - id: isalias + type: u4 + - id: key + type: str + encoding: ascii + size: length + + access_vector_table: # avtab_read + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: access_vector_old + type: access_vector_old + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 and _root.version < 20 + - id: access_vector + type: access_vector + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 and _root.version >= 20 + + + access_vector_old: # avtab_read_item + seq: + - id: total + -orig-id: items2 + type: u4 + valid: + min: 5 + max: 8 + - id: source_type + type: u4 + - id: target_type + type: u4 + - id: target_class + type: u4 + - id: value + -orig-id: val + type: u4 + - id: data + type: u4 + repeat: expr + repeat-expr: 8 + + access_vector: # avtab_read_item + seq: + - id: source_type + type: u2 + - id: target_type + type: u2 + - id: target_class + type: u2 + - id: specified + type: u2 + - id: xperms_specified + type: u1 + if: '(specified & 0x700) != 0' + - id: xperms_drivers + type: u1 + if: '(specified & 0x700) != 0' + - id: xperms_perms + type: u4 + if: '(specified & 0x700) != 0' + repeat: expr + repeat-expr: 8 + - id: data + type: u4 + if: '(specified & 0x700) == 0' + + conditional_list: # cond_read_list + seq: + - id: length + -orig-id: len + type: u4 + - id: conditional_node + type: conditional_node + repeat: expr + repeat-expr: length + + conditional_node: # cond_read_node + seq: + - id: current_state + -orig-id: cur_state + type: u4 + - id: length + -orig-id: len + type: u4 + - id: conditional_node_item + type: conditional_node_item + repeat: expr + repeat-expr: length + - id: true_list + type: cond_av_list + if: _root.type == policy_types::kernel + - id: false_list + type: cond_av_list + if: _root.type == policy_types::kernel + - id: avtrue_list + type: avrule_list + if: _root.type != policy_types::kernel + - id: avfalse_list + type: avrule_list + if: _root.type != policy_types::kernel + - id: flags + type: u4 + if: '_root.type != policy_types::kernel and _root.version >= 14' + + conditional_node_item: + seq: + - id: expr_type + type: u4 + - id: boolean + type: u4 + + cond_av_list: # cond_read_av_list + seq: + - id: length + -orig-id: len + type: u4 + - id: access_vector_old + type: access_vector_old + repeat: expr + repeat-expr: length + if: length > 0 and _root.version < 20 + - id: access_vector + type: access_vector + repeat: expr + repeat-expr: length + if: length > 0 and _root.version >= 20 + + avrule_list: # avrule_read_list + seq: + - id: length + -orig-id: len + type: u4 + - id: avrule + type: avrule + repeat: expr + repeat-expr: length + if: length > 0 + + avrule: # avrule_read + seq: + - id: specified + type: u4 + - id: flags + type: u4 + - id: stypes + type: type_set + - id: ttypes + type: type_set + - id: length + -orig-id: len + type: u4 + - id: avrule_item + type: avrule_item + repeat: expr + repeat-expr: length + if: length > 0 + - id: avrule_specified + type: avrule_specified + if: '(specified & (0x0100 | 0x0200 | 0x0400 | 0x0800)) != 0' + + avrule_item: # avrule_read + seq: + - id: tclass + type: u4 + - id: data + type: u4 + + avrule_specified: + seq: + - id: xperms_specified + type: u1 + - id: xperms_driver + type: u1 + - id: elements_count + -orig-id: nel + type: u4 + - id: perms + type: u4 + repeat: expr + repeat-expr: elements_count + + role_trans: # role_trans_read + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: role_trans_item + type: role_trans_item + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + role_trans_item: + seq: + - id: role + type: u4 + - id: type + type: u4 + - id: new_role + type: u4 + - id: tclass + type: u4 + if: '(_root.type == policy_types::kernel and _root.version >= 26)' + + role_allow: # role_allow_read + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: role_allow_item + type: role_allow_item + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + role_allow_item: + seq: + - id: role + type: u4 + - id: new_role + type: u4 + + filename_trans: # filename_trans_read + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: item_32 + type: filename_trans_item_old + repeat: expr + repeat-expr: elements_count + if: '(elements_count > 0) and (_root.version < 33)' + - id: item_33 + type: filename_trans_item + repeat: expr + repeat-expr: elements_count + if: '(elements_count > 0) and (_root.version >= 33)' + + filename_trans_item_old: # filename_trans_read_one_compat + seq: + - id: length + -orig-id: len + type: u4 + - id: name + type: str + encoding: ascii + size: length + - id: stype + type: u4 + - id: ttype + type: u4 + - id: tclass + type: u4 + - id: otype + type: u4 + + + filename_trans_item: # filename_trans_read_one + seq: + - id: length + -orig-id: len + type: u4 + - id: name + type: str + encoding: ascii + size: length + - id: ttype + type: u4 + - id: tclass + type: u4 + - id: count + -orig-id: ndatum + type: u4 + valid: + min: 1 + - id: item + type: filename_trans_item_item + repeat: expr + repeat-expr: count + if: count > 0 + + filename_trans_item_item: + seq: + - id: stypes + type: extensible_bitmap + - id: otype + type: u4 + + avrule_block: # avrule_block_read + seq: + - id: count + -orig-id: num_blocks + type: u4 + - id: avrule_block_item + type: avrule_block_item + repeat: expr + repeat-expr: count + if: count > 0 + + avrule_block_item: + seq: + - id: num_decls + type: u4 + - id: curdecl + type: avrule_decl + repeat: expr + repeat-expr: num_decls + if: num_decls > 0 + + avrule_decl: # avrule_decl_read + seq: + - id: decl_id + type: u4 + - id: enabled + type: u4 + - id: cond_list + type: conditional_list + - id: avrules + type: avrule_list + - id: role_tr_rules + type: role_trans_rule + - id: role_allow_rules + type: role_allow_rule + + - id: filename_trans_rules + type: filename_trans_rule + if: _root.version >= 11 + - id: range_tr_rules + type: range_trans_rule + if: _root.version >= 6 + - id: required + type: scope_index + - id: declared + type: scope_index + - id: symbols + type: symbols + + role_trans_rule: # role_trans_rule_read + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: item + type: role_trans_rule_item + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + role_trans_rule_item: + seq: + - id: roles + type: role_set + - id: types + type: role_set + - id: classes + type: extensible_bitmap + if: _root.version >= 12 + - id: new_role + type: u4 + + role_allow_rule: # role_allow_rule_read + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: role_allow_rule_item + type: common + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + role_allow_rule_item: + seq: + - id: roles + type: role_set + - id: new_roles + type: role_set + + filename_trans_rule: # filename_trans_rule_read + seq: + - id: count + type: u4 + - id: item + type: filename_trans_rule_item + repeat: expr + repeat-expr: count + if: count > 0 + + filename_trans_rule_item: + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: name + type: str + encoding: ascii + size: length + - id: stypes + type: type_set + - id: ttypes + type: type_set + - id: tclass + type: u4 + - id: otype + type: u4 + - id: flags + type: u4 + if: _root.version >= 21 + + + range_trans_rule: # range_trans_rule_read + seq: + - id: count + -orig-id: nel + type: u4 + - id: item + type: range_trans_rule_item + repeat: expr + repeat-expr: count + if: count > 0 + + range_trans_rule_item: + seq: + - id: stypes + type: type_set + - id: ttypes + type: type_set + - id: tclasses + type: extensible_bitmap + - id: trange + type: mls_semantic_range + + scope_index: # scope_index_read + seq: + - id: scope + type: extensible_bitmap + repeat: expr + repeat-expr: _root.header.symbols_count + - id: class_perms_len + type: u4 + valid: + min: 0 + - id: class_perms_map + type: extensible_bitmap + repeat: expr + repeat-expr: class_perms_len + + scope_list: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: scope + type: scope + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + scope: # scope_read + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: key + type: str + encoding: ascii + size: length + - id: scope + type: u4 + - id: decl_ids_len + type: u4 + valid: + min: 1 + - id: decl_id + type: u4 + repeat: expr + repeat-expr: decl_ids_len + + ocontext_selinux: # ocontext_read_selinux + seq: + - id: initial_sids + type: initial_sids + if: '_root.header.object_contexts_count >= 1' + - id: filesystems + type: filesystems + if: '_root.header.object_contexts_count >= 2' + - id: ports + type: ports + if: '_root.header.object_contexts_count >= 3' + - id: network_interfaces + type: filesystems # same + if: '_root.header.object_contexts_count >= 4' + - id: nodes + type: nodes + if: '_root.header.object_contexts_count >= 5' + - id: fsuses + type: fsuses + if: '_root.header.object_contexts_count >= 6' + - id: nodes6 + type: nodes6 + if: '_root.header.object_contexts_count >= 7' + - id: ibpkeys + type: ibpkeys + if: '_root.header.object_contexts_count >= 8' + - id: ibpendports + type: ibpendports + if: '_root.header.object_contexts_count >= 9' + + initial_sids: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: initial_sid + type: initial_sid + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + initial_sid: + seq: + - id: sid0 + type: u4 + - id: context0 + type: context + + filesystems: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: filesystem + type: filesystem + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + filesystem: + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: key + type: str + encoding: ascii + size: length + - id: context0 + type: context + - id: context1 + type: context + + ports: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: port + type: port + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + port: + seq: + - id: protocol + type: u4 + - id: low_port + type: u4 + - id: high_port + type: u4 + - id: context + type: context + + nodes: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: node + type: node + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + node: + seq: + - id: addr + type: u4 + - id: mask + type: u4 + - id: context + type: context + + fsuses: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: fsuse + type: fsuse + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + fsuse: + seq: + - id: behavior + type: u4 + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: name + type: str + encoding: ascii + size: length + - id: context + type: context + + nodes6: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: node6 + type: node6 + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + node6: + seq: + - id: addr + type: u4 + repeat: expr + repeat-expr: 4 + - id: mask + type: u4 + repeat: expr + repeat-expr: 4 + - id: context + type: context + + ibpkeys: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: ibpkey + type: ibpkey + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + ibpkey: + seq: + - id: low_pkey + type: u4 + - id: high_pkey + type: u4 + - id: context + type: context + + ibpendports: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: ibpendport + type: ibpendport + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + ibpendport: + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: port + type: u4 + - id: dev_name + type: str + encoding: ascii + size: length + - id: context + type: context + + + ocontext_xen: # ocontext_read_xen + seq: + - id: xen_isids + type: xen_isids + if: '_root.header.object_contexts_count >= 1' + - id: xen_pirqs + type: xen_pirqs + if: '_root.header.object_contexts_count >= 2' + - id: xen_ioports + type: xen_ioports + if: '_root.header.object_contexts_count >= 3' + - id: xen_iomems + type: xen_iomems + if: '_root.header.object_contexts_count >= 4' + - id: xen_pcidevices + type: xen_pcidevices + if: '_root.header.object_contexts_count >= 5' + - id: xen_devicetrees + type: xen_devicetrees + if: '_root.header.object_contexts_count >= 6' + + xen_isids: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: xen_isid + type: xen_isid + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + xen_isid: + seq: + - id: sid0 + type: u4 + - id: context0 + type: context + + xen_pirqs: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: xen_pirq + type: xen_pirq + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + xen_pirq: + seq: + - id: pirq + type: u4 + - id: context0 + type: context + + xen_ioports: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: xen_ioport + type: xen_ioport + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + xen_ioport: + seq: + - id: low_port + type: u4 + - id: high_port + type: u4 + - id: context0 + type: context + + xen_iomems: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: xen_iomem + type: xen_iomem + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + xen_iomem: + seq: + - id: low_iomem64 + type: u8 + if: '_root.version >= 30' + - id: high_iomem64 + type: u8 + if: '_root.version >= 30' + - id: low_iomem32 + type: u4 + if: '_root.version < 30' + - id: high_iomem32 + type: u4 + if: '_root.version < 30' + - id: context0 + type: context + + xen_pcidevices: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: xen_pcidevice + type: xen_pcidevice + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + xen_pcidevice: + seq: + - id: device + type: u4 + - id: context0 + type: context + + + xen_devicetrees: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: xen_devicetree + type: xen_devicetree + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + xen_devicetree: + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: name + type: str + encoding: ascii + size: length + - id: context0 + type: context + + genfs: # genfs_read + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: items + type: genfs_item + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + genfs_item: + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: fstype + type: str + encoding: ascii + size: length + - id: elements_count + -orig-id: nel2 + type: u4 + - id: items + type: genfs2_item + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + genfs2_item: + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: name + type: str + encoding: ascii + size: length + - id: sclass + type: u4 + - id: context0 + type: context + + range: # range_read + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: items + type: range_item + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + range_item: + seq: + - id: source_type + type: u4 + - id: target_type + type: u4 + - id: target_class + type: u4 + if: '_root.type == policy_types::kernel and _root.version >= 21' + - id: range_tr + type: mls_range + + +instances: + boundary_feature: # policydb_has_boundary_feature + value: '(_root.type == policy_types::kernel and _root.version >= 24) or (_root.type != policy_types::kernel and _root.version >= 9)' + version: + value: 'header.policyvers' + type: + value: 'header.magic == magics::kernel ? policy_types::kernel : (header.policy_type == policy_types::module ? policy_types::module : policy_types::base)' + target: + value: 'header.magic == magics::kernel and header.policydb_str == "XenFlask" ? targets::xen : targets::selinux' + mls: + value: 'header.config & 1' + +enums: + magics: + 0xf97cff8c: kernel + 0xf97cff8d: module + targets: + 0: selinux + 1: xen + policy_types: + 0: kernel + 1: base + 2: module + expression_types: + 1: not + 2: and + 3: or + 4: attr + 5: names diff --git a/security/selinuxpp.ksy b/security/selinuxpp.ksy new file mode 100644 index 000000000..47b3077b5 --- /dev/null +++ b/security/selinuxpp.ksy @@ -0,0 +1,42 @@ +meta: + id: selinux + title: SELinux file policy package binary + file-extension: pp + license: CC0-1.0 + encoding: ASCII + endian: le +doc-ref: | + https://github.com/SELinuxProject/selinux/blob/master/libsepol/src/module.c +seq: + - id: magic + contents: [0x8f, 0xff, 0x7c, 0xf9] + - id: version # module_package_read_offsets + type: u4 + - id: sections_count + -orig-id: nsec + type: u4 + - id: section + type: section + repeat: expr + repeat-expr: sections_count + +types: + section: + seq: + - id: offset + -orig-id: off + type: u4 + instances: + section_magic: + type: u4 + enum: section_magics + io: _root._io + pos: offset + +enums: + section_magics: + 0xf97cff90: file_context # -orig-id: fc + 0xf97cff8d: module + 0x097cff91: user + 0x097cff92: user_extra + 0x097cff93: netfilter From c6c60c84c293aea0b73635aa950dc455b9e3a0b6 Mon Sep 17 00:00:00 2001 From: Ange Date: Thu, 13 Jul 2023 21:18:32 +0200 Subject: [PATCH 2/5] Updated to match changes requests --- security/selinux.ksy | 1605 ----------------- security/selinux_policy_binary.ksy | 1600 ++++++++++++++++ ...linuxpp.ksy => selinux_policy_package.ksy} | 23 +- 3 files changed, 1612 insertions(+), 1616 deletions(-) delete mode 100644 security/selinux.ksy create mode 100644 security/selinux_policy_binary.ksy rename security/{selinuxpp.ksy => selinux_policy_package.ksy} (62%) diff --git a/security/selinux.ksy b/security/selinux.ksy deleted file mode 100644 index 9305cf302..000000000 --- a/security/selinux.ksy +++ /dev/null @@ -1,1605 +0,0 @@ -meta: - id: selinux - title: SELinux file policy binary - license: CC0-1.0 - encoding: ASCII - file-extension: bin - endian: le -doc-ref: | - https://github.com/SELinuxProject/selinux/blob/master/libsepol/src/policydb.c - https://github.com/SELinuxProject/selinux/blob/master/libsepol/src/write.c -seq: - - id: header - type: header - -types: - header: # policydb_read - instances: - handle_unknown: - value: 'config & 6' - seq: - - id: magic - type: u4 - enum: magics - valid: - expr: '(magic == magics::kernel) or (magic == magics::module)' - - id: policydb_str_len - -orig-id: len - type: u4 - - id: policydb_str - type: str - encoding: ascii - size: policydb_str_len - valid: - expr: '(magic == magics::kernel and (_ == "SE Linux" or _ == "XenFlask")) or (magic == magics::module and _ == "SE Linux Module")' - - id: policy_type - type: u4 - enum: policy_types - if: 'magic == magics::module' - - id: policyvers - type: u4 - valid: - expr: '(magic == magics::kernel and 15 <= _ and _ <= 33) or (magic != magics::kernel and 4 <= _ and _ <= 21)' - - id: config - -orig-id: config - type: u4 - - id: symbols_count - -orig-id: sym_num - type: u4 - - id: object_contexts_count - -orig-id: ocon_num - type: u4 - valid: - min: 0 - max: 9 - - id: module_header - type: module_header - if: 'magic == magics::module' - - id: policycaps - type: extensible_bitmap - if: '(_root.type == policy_types::kernel and policyvers >= 22) or (policyvers >= 7)' - - id: permissive_map - type: extensible_bitmap - if: '(_root.type == policy_types::kernel and policyvers >= 23)' - - id: symbols - type: symbols - - id: access_vector_table - type: access_vector_table - if: '(_root.type == policy_types::kernel)' - - id: conditional_list - type: conditional_list - if: '_root.type == policy_types::kernel and policyvers >= 16' - - id: role_trans - type: role_trans - if: '_root.type == policy_types::kernel' - - id: role_allow - type: role_allow - if: '_root.type == policy_types::kernel' - - id: filename_trans - type: filename_trans - if: '_root.type == policy_types::kernel and policyvers >= 25' - - id: avrule_block - type: avrule_block - if: '_root.type != policy_types::kernel' - - id: scope_list - type: scope_list - repeat: expr - repeat-expr: _root.header.symbols_count - if: '_root.type != policy_types::kernel' - - id: ocontext_selinux - type: ocontext_selinux - if: '_root.target == targets::selinux' - - id: ocontext_xen - type: ocontext_xen - if: '_root.target == targets::xen' - - id: genfs - type: genfs - - id: range - type: range - if: '(_root.type == policy_types::kernel and policyvers >= 19) or (_root.type == policy_types::base and policyvers == 5)' - - id: type_attr_map - type: extensible_bitmap - repeat: expr - repeat-expr: symbols.types.primary_names_count - if: '_root.type == policy_types::kernel' - - - module_header: - seq: - - id: name_len - -orig-id: len - type: u4 - valid: - min: 1 - - id: name - type: str - encoding: ascii - size: name_len - - id: version_length - -orig-id: len # again - type: u4 - valid: - min: 1 - - id: version - type: str - encoding: ascii - size: version_length - - extensible_bitmap: # ebitmap_read - seq: - - id: mapsize - type: u4 - valid: 0x40 - - id: highbit - type: u4 - valid: - expr: 'not(highbit & 0x3F)' - - id: count - type: u4 - valid: - expr: 'not ((highbit > 0) and (_ == 0))' - - id: node - type: ebitmap_node - repeat: expr - repeat-expr: count - if: count > 0 - - ebitmap_node: - seq: - - id: startbit - type: u4 - - id: map - type: u8 - - symbols: - seq: - - id: commons - type: commons - - id: classes - type: classes - - id: roles - type: roles - - id: types - type: types - - id: users - type: users - # 5 symbols: all of them - - id: conditional_booleans - -orig-id: bools - type: bools - # 6 symbols: mod or base or kern[16-18] - if: '_root.header.symbols_count >= 6' - - id: security_levels - -orig-id: levels - type: levels - if: '_root.header.symbols_count >= 7' - - id: categories - -orig-id: cats - type: cats - # 8 symbols: mod or base or kern[19-] - if: '_root.header.symbols_count >= 8' - - commons: - seq: - - id: primary_names_count - -orig-id: nprim - type: u4 - - id: elements_count - -orig-id: nel - type: u4 - - id: common - type: common - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - classes: - seq: - - id: primary_names_count - -orig-id: nprim - type: u4 - - id: elements_count - -orig-id: nel - type: u4 - - id: class - type: class - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - roles: - seq: - - id: primary_names_count - -orig-id: nprim - type: u4 - - id: elements_count - -orig-id: nel - type: u4 - - id: role - type: role - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - types: - seq: - - id: primary_names_count - -orig-id: nprim - type: u4 - - id: elements_count - -orig-id: nel - type: u4 - - id: type - type: type - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - users: - seq: - - id: primary_names_count - -orig-id: nprim - type: u4 - - id: elements_count - -orig-id: nel - type: u4 - - id: user - type: user - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - bools: # cond_read_bools - seq: - - id: primary_names_count - -orig-id: nprim - type: u4 - - id: elements_count - -orig-id: nel - type: u4 - - id: bool - type: bool - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - levels: # sens_read - seq: - - id: primary_names_count - -orig-id: nprim - type: u4 - - id: elements_count - -orig-id: nel - type: u4 - - id: level - type: level - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - cats: # cat_read - seq: - - id: primary_names_count - -orig-id: nprim - type: u4 - - id: elements_count - -orig-id: nel - type: u4 - - id: cat - type: cat - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - common: # common_read - seq: - - id: length - -orig-id: len - type: u4 - valid: - min: 1 - - id: value - type: u4 - - id: primary_names_count - -orig-id: nprim - type: u4 - valid: - max: 32 - - id: elements_count - -orig-id: nel - type: u4 - - id: key - type: str - encoding: ascii - size: length - - id: permission - type: permission - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - permission: # perm_read - seq: - - id: length - -orig-id: len - type: u4 # validity not verified - - id: value - type: u4 - - id: key - type: str - encoding: ASCII - size: length - - class: # class_read - seq: - - id: key_length - -orig-id: len - type: u4 - valid: - min: 1 - - id: common_key_length - -orig-id: len2 - type: u4 - - id: value - type: u4 - - id: primary_names_count - -orig-id: perm_nprim - type: u4 - valid: - max: 32 - - id: elements_count - -orig-id: nel - type: u4 - - id: constraints_count - -orig-id: ncons - type: u4 - - id: key - type: str - encoding: ASCII - size: key_length - - id: common_key - type: str - encoding: ASCII - size: common_key_length - if: common_key_length > 0 - - id: permission - type: permission - repeat: expr - repeat-expr: elements_count - - id: constraints - -orig-id: constraints - type: constraint - repeat: expr - repeat-expr: constraints_count - - - id: validatetrans_count - -orig-id: ncons # yes, same name - type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::base and _root.version >= 5)' - - id: validatetrans - -orig-id: validatetrans - type: constraint - repeat: expr - repeat-expr: validatetrans_count - if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::base and _root.version >= 5)' - - - id: default_user - type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 27) or (_root.type == policy_types::base and _root.version >= 15)' - - id: default_role - type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 27) or (_root.type == policy_types::base and _root.version >= 15)' - - id: default_range - type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 27) or (_root.type == policy_types::base and _root.version >= 15)' - - - id: default_type - type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 28) or (_root.type == policy_types::base and _root.version >= 16)' - - constraint: # read_cons_helper - seq: - - id: permissions - type: u4 - - id: expressions_count - -orig-id: nexpr - type: u4 - - id: expression - type: expression - repeat: expr - repeat-expr: expressions_count - if: expressions_count > 0 - - expression: - seq: - - id: type - type: u4 - enum: expression_types - - id: attribute - -orig-id: attr - type: u4 - - id: operator - -orig-id: op - type: u4 - - id: names - type: extensible_bitmap - if: 'type == expression_types::names' - - id: type_names - type: type_set - if: 'type == expression_types::names and ((_root.type == policy_types::kernel and _root.version >= 29) or (_root.type != policy_types::kernel))' - - mls_range: # mls_read_range_helper - seq: - - id: items - type: u4 - - id: sensitivity0 - -orig-id: level[0].sens - type: u4 - - id: sensitivity1 - -orig-id: level[1].sens - type: u4 - if: items > 1 - - id: category0 - -orig-id: level[0].cat - type: extensible_bitmap - - id: category1 - -orig-id: level[1].cat - type: extensible_bitmap - if: items > 1 - - context: # context_read_and_validate - seq: - - id: user - type: u4 - - id: role - type: u4 - - id: type - type: u4 - - id: mls_range - type: mls_range - if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::base and _root.version >= 5)' - - role: # role_read - seq: - - id: length - -orig-id: len - type: u4 - - id: value - type: u4 - - id: bounds - type: u4 - if: '_root.boundary_feature' - - id: key - type: str - encoding: ascii - size: length - - id: dominates - type: extensible_bitmap - - id: types_eb - type: extensible_bitmap - if: _root.type == policy_types::kernel - - id: types_ts - type: type_set - if: not (_root.type == policy_types::kernel) - - id: flavor - type: u4 - if: '(_root.type != policy_types::kernel and _root.version >= 13)' - - id: roles - type: extensible_bitmap - if: '(_root.type != policy_types::kernel and _root.version >= 13)' - - type: # type_read - seq: - # 3: kern <= 23 - # 4: kern >= 24 or !kern <= 7 or !kern == 9 - # 5: !kern == 8 or !kern >= 10 - - id: length - -orig-id: len - type: u4 - - id: value - type: u4 - - id: primary - type: u4 - if: '(_root.boundary_feature and (_root.type != policy_types::kernel and _root.version >= 10)) or not _root.boundary_feature' - - id: properties - type: u4 - if: '_root.boundary_feature' - - id: bounds - type: u4 - if: '_root.boundary_feature' - - id: flavor - type: u4 - if: 'not _root.boundary_feature and (_root.type != policy_types::kernel)' - - id: flags - type: u4 - if: 'not _root.boundary_feature and (_root.type != policy_types::kernel and _root.version >= 8)' - - id: types - type: extensible_bitmap - if: '_root.type != policy_types::kernel' - - id: key - type: str - encoding: ASCII - size: length - - type_set: - seq: - - id: types - type: extensible_bitmap - - id: negset - type: extensible_bitmap - - id: flag - type: u4 - - user: # user_read - seq: - - id: length - -orig-id: len - type: u4 - - id: value - type: u4 - - id: bounds - type: u4 - if: _root.boundary_feature - - id: key - type: str - encoding: ASCII - size: length - - id: roles_eb - type: extensible_bitmap - if: '_root.type == policy_types::kernel' - - id: roles_rs - type: role_set - if: '_root.type != policy_types::kernel' - - id: exp_range - type: mls_range - if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::module and _root.version >= 5 and _root.version < 6) or (_root.type == policy_types::base and _root.version >= 5 and _root.version < 6)' - - id: exp_dftlevel - type: mls_level - if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::module and _root.version >= 5 and _root.version < 6) or (_root.type == policy_types::base and _root.version >= 5 and _root.version < 6)' - - id: range - type: mls_semantic_range - if: '(_root.type == policy_types::module or _root.type == policy_types::base) and (_root.version >= 6)' - - id: dfltlevel - type: mls_semantic_range - if: '(_root.type == policy_types::module or _root.type == policy_types::base) and (_root.version >= 6)' - - role_set: # role_set_read - seq: - - id: roles - type: extensible_bitmap - - id: flags - type: u4 - - mls_level: # mls_read_level - seq: - - id: sensitivity - -orig-id: sens - type: u4 - - id: category - -orig-id: cat - type: extensible_bitmap - - mls_semantic_range: # mls_read_semantic_range_helper - seq: - - id: level0 - type: mls_semantic_level - - id: level1 - type: mls_semantic_level - - mls_semantic_level: # mls_read_semantic_level_helper - seq: - - id: sensitivity - -orig-id: sens - type: u4 - - id: count - -orig-id: ncat - type: u4 - - id: category - -orig-id: cat - type: semantic_category - repeat: expr - repeat-expr: count - if: count > 0 - - semantic_category: - seq: - - id: low - type: u4 - - id: high - type: u4 - - bool: # cond_read_bool - seq: - - id: value - type: u4 - - id: state - type: u4 - - id: length - -orig-id: len - type: u4 - - id: key - type: str - size: length - encoding: ascii - - id: flags - type: u4 - if: '(_root.type != policy_types::kernel and _root.version >= 14)' - - - level: # sens_read - seq: - - id: length - -orig-id: len - type: u4 - valid: - min: 1 - - id: isalias - type: u4 - - id: key - type: str - encoding: ascii - size: length - - id: level - type: mls_level - - cat: # cat_read - seq: - - id: length - -orig-id: len - type: u4 - valid: - min: 1 - - id: value - type: u4 - - id: isalias - type: u4 - - id: key - type: str - encoding: ascii - size: length - - access_vector_table: # avtab_read - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: access_vector_old - type: access_vector_old - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 and _root.version < 20 - - id: access_vector - type: access_vector - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 and _root.version >= 20 - - - access_vector_old: # avtab_read_item - seq: - - id: total - -orig-id: items2 - type: u4 - valid: - min: 5 - max: 8 - - id: source_type - type: u4 - - id: target_type - type: u4 - - id: target_class - type: u4 - - id: value - -orig-id: val - type: u4 - - id: data - type: u4 - repeat: expr - repeat-expr: 8 - - access_vector: # avtab_read_item - seq: - - id: source_type - type: u2 - - id: target_type - type: u2 - - id: target_class - type: u2 - - id: specified - type: u2 - - id: xperms_specified - type: u1 - if: '(specified & 0x700) != 0' - - id: xperms_drivers - type: u1 - if: '(specified & 0x700) != 0' - - id: xperms_perms - type: u4 - if: '(specified & 0x700) != 0' - repeat: expr - repeat-expr: 8 - - id: data - type: u4 - if: '(specified & 0x700) == 0' - - conditional_list: # cond_read_list - seq: - - id: length - -orig-id: len - type: u4 - - id: conditional_node - type: conditional_node - repeat: expr - repeat-expr: length - - conditional_node: # cond_read_node - seq: - - id: current_state - -orig-id: cur_state - type: u4 - - id: length - -orig-id: len - type: u4 - - id: conditional_node_item - type: conditional_node_item - repeat: expr - repeat-expr: length - - id: true_list - type: cond_av_list - if: _root.type == policy_types::kernel - - id: false_list - type: cond_av_list - if: _root.type == policy_types::kernel - - id: avtrue_list - type: avrule_list - if: _root.type != policy_types::kernel - - id: avfalse_list - type: avrule_list - if: _root.type != policy_types::kernel - - id: flags - type: u4 - if: '_root.type != policy_types::kernel and _root.version >= 14' - - conditional_node_item: - seq: - - id: expr_type - type: u4 - - id: boolean - type: u4 - - cond_av_list: # cond_read_av_list - seq: - - id: length - -orig-id: len - type: u4 - - id: access_vector_old - type: access_vector_old - repeat: expr - repeat-expr: length - if: length > 0 and _root.version < 20 - - id: access_vector - type: access_vector - repeat: expr - repeat-expr: length - if: length > 0 and _root.version >= 20 - - avrule_list: # avrule_read_list - seq: - - id: length - -orig-id: len - type: u4 - - id: avrule - type: avrule - repeat: expr - repeat-expr: length - if: length > 0 - - avrule: # avrule_read - seq: - - id: specified - type: u4 - - id: flags - type: u4 - - id: stypes - type: type_set - - id: ttypes - type: type_set - - id: length - -orig-id: len - type: u4 - - id: avrule_item - type: avrule_item - repeat: expr - repeat-expr: length - if: length > 0 - - id: avrule_specified - type: avrule_specified - if: '(specified & (0x0100 | 0x0200 | 0x0400 | 0x0800)) != 0' - - avrule_item: # avrule_read - seq: - - id: tclass - type: u4 - - id: data - type: u4 - - avrule_specified: - seq: - - id: xperms_specified - type: u1 - - id: xperms_driver - type: u1 - - id: elements_count - -orig-id: nel - type: u4 - - id: perms - type: u4 - repeat: expr - repeat-expr: elements_count - - role_trans: # role_trans_read - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: role_trans_item - type: role_trans_item - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - role_trans_item: - seq: - - id: role - type: u4 - - id: type - type: u4 - - id: new_role - type: u4 - - id: tclass - type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 26)' - - role_allow: # role_allow_read - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: role_allow_item - type: role_allow_item - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - role_allow_item: - seq: - - id: role - type: u4 - - id: new_role - type: u4 - - filename_trans: # filename_trans_read - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: item_32 - type: filename_trans_item_old - repeat: expr - repeat-expr: elements_count - if: '(elements_count > 0) and (_root.version < 33)' - - id: item_33 - type: filename_trans_item - repeat: expr - repeat-expr: elements_count - if: '(elements_count > 0) and (_root.version >= 33)' - - filename_trans_item_old: # filename_trans_read_one_compat - seq: - - id: length - -orig-id: len - type: u4 - - id: name - type: str - encoding: ascii - size: length - - id: stype - type: u4 - - id: ttype - type: u4 - - id: tclass - type: u4 - - id: otype - type: u4 - - - filename_trans_item: # filename_trans_read_one - seq: - - id: length - -orig-id: len - type: u4 - - id: name - type: str - encoding: ascii - size: length - - id: ttype - type: u4 - - id: tclass - type: u4 - - id: count - -orig-id: ndatum - type: u4 - valid: - min: 1 - - id: item - type: filename_trans_item_item - repeat: expr - repeat-expr: count - if: count > 0 - - filename_trans_item_item: - seq: - - id: stypes - type: extensible_bitmap - - id: otype - type: u4 - - avrule_block: # avrule_block_read - seq: - - id: count - -orig-id: num_blocks - type: u4 - - id: avrule_block_item - type: avrule_block_item - repeat: expr - repeat-expr: count - if: count > 0 - - avrule_block_item: - seq: - - id: num_decls - type: u4 - - id: curdecl - type: avrule_decl - repeat: expr - repeat-expr: num_decls - if: num_decls > 0 - - avrule_decl: # avrule_decl_read - seq: - - id: decl_id - type: u4 - - id: enabled - type: u4 - - id: cond_list - type: conditional_list - - id: avrules - type: avrule_list - - id: role_tr_rules - type: role_trans_rule - - id: role_allow_rules - type: role_allow_rule - - - id: filename_trans_rules - type: filename_trans_rule - if: _root.version >= 11 - - id: range_tr_rules - type: range_trans_rule - if: _root.version >= 6 - - id: required - type: scope_index - - id: declared - type: scope_index - - id: symbols - type: symbols - - role_trans_rule: # role_trans_rule_read - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: item - type: role_trans_rule_item - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - role_trans_rule_item: - seq: - - id: roles - type: role_set - - id: types - type: role_set - - id: classes - type: extensible_bitmap - if: _root.version >= 12 - - id: new_role - type: u4 - - role_allow_rule: # role_allow_rule_read - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: role_allow_rule_item - type: common - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - role_allow_rule_item: - seq: - - id: roles - type: role_set - - id: new_roles - type: role_set - - filename_trans_rule: # filename_trans_rule_read - seq: - - id: count - type: u4 - - id: item - type: filename_trans_rule_item - repeat: expr - repeat-expr: count - if: count > 0 - - filename_trans_rule_item: - seq: - - id: length - -orig-id: len - type: u4 - valid: - min: 1 - - id: name - type: str - encoding: ascii - size: length - - id: stypes - type: type_set - - id: ttypes - type: type_set - - id: tclass - type: u4 - - id: otype - type: u4 - - id: flags - type: u4 - if: _root.version >= 21 - - - range_trans_rule: # range_trans_rule_read - seq: - - id: count - -orig-id: nel - type: u4 - - id: item - type: range_trans_rule_item - repeat: expr - repeat-expr: count - if: count > 0 - - range_trans_rule_item: - seq: - - id: stypes - type: type_set - - id: ttypes - type: type_set - - id: tclasses - type: extensible_bitmap - - id: trange - type: mls_semantic_range - - scope_index: # scope_index_read - seq: - - id: scope - type: extensible_bitmap - repeat: expr - repeat-expr: _root.header.symbols_count - - id: class_perms_len - type: u4 - valid: - min: 0 - - id: class_perms_map - type: extensible_bitmap - repeat: expr - repeat-expr: class_perms_len - - scope_list: - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: scope - type: scope - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - scope: # scope_read - seq: - - id: length - -orig-id: len - type: u4 - valid: - min: 1 - - id: key - type: str - encoding: ascii - size: length - - id: scope - type: u4 - - id: decl_ids_len - type: u4 - valid: - min: 1 - - id: decl_id - type: u4 - repeat: expr - repeat-expr: decl_ids_len - - ocontext_selinux: # ocontext_read_selinux - seq: - - id: initial_sids - type: initial_sids - if: '_root.header.object_contexts_count >= 1' - - id: filesystems - type: filesystems - if: '_root.header.object_contexts_count >= 2' - - id: ports - type: ports - if: '_root.header.object_contexts_count >= 3' - - id: network_interfaces - type: filesystems # same - if: '_root.header.object_contexts_count >= 4' - - id: nodes - type: nodes - if: '_root.header.object_contexts_count >= 5' - - id: fsuses - type: fsuses - if: '_root.header.object_contexts_count >= 6' - - id: nodes6 - type: nodes6 - if: '_root.header.object_contexts_count >= 7' - - id: ibpkeys - type: ibpkeys - if: '_root.header.object_contexts_count >= 8' - - id: ibpendports - type: ibpendports - if: '_root.header.object_contexts_count >= 9' - - initial_sids: - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: initial_sid - type: initial_sid - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - initial_sid: - seq: - - id: sid0 - type: u4 - - id: context0 - type: context - - filesystems: - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: filesystem - type: filesystem - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - filesystem: - seq: - - id: length - -orig-id: len - type: u4 - valid: - min: 1 - - id: key - type: str - encoding: ascii - size: length - - id: context0 - type: context - - id: context1 - type: context - - ports: - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: port - type: port - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - port: - seq: - - id: protocol - type: u4 - - id: low_port - type: u4 - - id: high_port - type: u4 - - id: context - type: context - - nodes: - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: node - type: node - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - node: - seq: - - id: addr - type: u4 - - id: mask - type: u4 - - id: context - type: context - - fsuses: - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: fsuse - type: fsuse - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - fsuse: - seq: - - id: behavior - type: u4 - - id: length - -orig-id: len - type: u4 - valid: - min: 1 - - id: name - type: str - encoding: ascii - size: length - - id: context - type: context - - nodes6: - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: node6 - type: node6 - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - node6: - seq: - - id: addr - type: u4 - repeat: expr - repeat-expr: 4 - - id: mask - type: u4 - repeat: expr - repeat-expr: 4 - - id: context - type: context - - ibpkeys: - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: ibpkey - type: ibpkey - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - ibpkey: - seq: - - id: low_pkey - type: u4 - - id: high_pkey - type: u4 - - id: context - type: context - - ibpendports: - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: ibpendport - type: ibpendport - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - ibpendport: - seq: - - id: length - -orig-id: len - type: u4 - valid: - min: 1 - - id: port - type: u4 - - id: dev_name - type: str - encoding: ascii - size: length - - id: context - type: context - - - ocontext_xen: # ocontext_read_xen - seq: - - id: xen_isids - type: xen_isids - if: '_root.header.object_contexts_count >= 1' - - id: xen_pirqs - type: xen_pirqs - if: '_root.header.object_contexts_count >= 2' - - id: xen_ioports - type: xen_ioports - if: '_root.header.object_contexts_count >= 3' - - id: xen_iomems - type: xen_iomems - if: '_root.header.object_contexts_count >= 4' - - id: xen_pcidevices - type: xen_pcidevices - if: '_root.header.object_contexts_count >= 5' - - id: xen_devicetrees - type: xen_devicetrees - if: '_root.header.object_contexts_count >= 6' - - xen_isids: - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: xen_isid - type: xen_isid - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - xen_isid: - seq: - - id: sid0 - type: u4 - - id: context0 - type: context - - xen_pirqs: - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: xen_pirq - type: xen_pirq - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - xen_pirq: - seq: - - id: pirq - type: u4 - - id: context0 - type: context - - xen_ioports: - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: xen_ioport - type: xen_ioport - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - xen_ioport: - seq: - - id: low_port - type: u4 - - id: high_port - type: u4 - - id: context0 - type: context - - xen_iomems: - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: xen_iomem - type: xen_iomem - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - xen_iomem: - seq: - - id: low_iomem64 - type: u8 - if: '_root.version >= 30' - - id: high_iomem64 - type: u8 - if: '_root.version >= 30' - - id: low_iomem32 - type: u4 - if: '_root.version < 30' - - id: high_iomem32 - type: u4 - if: '_root.version < 30' - - id: context0 - type: context - - xen_pcidevices: - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: xen_pcidevice - type: xen_pcidevice - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - xen_pcidevice: - seq: - - id: device - type: u4 - - id: context0 - type: context - - - xen_devicetrees: - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: xen_devicetree - type: xen_devicetree - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - xen_devicetree: - seq: - - id: length - -orig-id: len - type: u4 - valid: - min: 1 - - id: name - type: str - encoding: ascii - size: length - - id: context0 - type: context - - genfs: # genfs_read - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: items - type: genfs_item - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - genfs_item: - seq: - - id: length - -orig-id: len - type: u4 - valid: - min: 1 - - id: fstype - type: str - encoding: ascii - size: length - - id: elements_count - -orig-id: nel2 - type: u4 - - id: items - type: genfs2_item - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - genfs2_item: - seq: - - id: length - -orig-id: len - type: u4 - valid: - min: 1 - - id: name - type: str - encoding: ascii - size: length - - id: sclass - type: u4 - - id: context0 - type: context - - range: # range_read - seq: - - id: elements_count - -orig-id: nel - type: u4 - - id: items - type: range_item - repeat: expr - repeat-expr: elements_count - if: elements_count > 0 - - range_item: - seq: - - id: source_type - type: u4 - - id: target_type - type: u4 - - id: target_class - type: u4 - if: '_root.type == policy_types::kernel and _root.version >= 21' - - id: range_tr - type: mls_range - - -instances: - boundary_feature: # policydb_has_boundary_feature - value: '(_root.type == policy_types::kernel and _root.version >= 24) or (_root.type != policy_types::kernel and _root.version >= 9)' - version: - value: 'header.policyvers' - type: - value: 'header.magic == magics::kernel ? policy_types::kernel : (header.policy_type == policy_types::module ? policy_types::module : policy_types::base)' - target: - value: 'header.magic == magics::kernel and header.policydb_str == "XenFlask" ? targets::xen : targets::selinux' - mls: - value: 'header.config & 1' - -enums: - magics: - 0xf97cff8c: kernel - 0xf97cff8d: module - targets: - 0: selinux - 1: xen - policy_types: - 0: kernel - 1: base - 2: module - expression_types: - 1: not - 2: and - 3: or - 4: attr - 5: names diff --git a/security/selinux_policy_binary.ksy b/security/selinux_policy_binary.ksy new file mode 100644 index 000000000..42512c0c6 --- /dev/null +++ b/security/selinux_policy_binary.ksy @@ -0,0 +1,1600 @@ +meta: + id: selinux_policy_binary + title: SELinux file policy binary + file-extension: bin + license: CC0-1.0 + encoding: ASCII + endian: le +doc-ref: + - https://github.com/SELinuxProject/selinux/blob/820f019ed9e3b9a9e3e62ae378f99282990976a2/libsepol/src/policydb.c + - https://github.com/SELinuxProject/selinux/blob/820f019ed9e3b9a9e3e62ae378f99282990976a2/libsepol/src/write.c +seq: + - id: header + type: header + +instances: + boundary_feature: # policydb_has_boundary_feature + value: '(_root.type == policy_types::kernel and _root.version >= 24) or (_root.type != policy_types::kernel and _root.version >= 9)' + version: + value: 'header.policyvers' + type: + value: 'header.magic == magics::kernel ? policy_types::kernel : (header.policy_type == policy_types::module ? policy_types::module : policy_types::base)' + target: + value: 'header.magic == magics::kernel and header.policydb_str == "XenFlask" ? targets::xen : targets::selinux' + mls: + value: 'header.config & 1' + +enums: + magics: + 0xf97c_ff8c: kernel + 0xf97c_ff8d: module + targets: + 0: selinux + 1: xen + policy_types: + 0: kernel + 1: base + 2: module + expression_types: + 1: not + 2: and + 3: or + 4: attr + 5: names + + +types: + header: # policydb_read + seq: + - id: magic + type: u4 + enum: magics + valid: + any-of: + - magics::kernel + - magics::module + - id: policydb_str_len + -orig-id: len + type: u4 + - id: policydb_str + type: str + encoding: ascii + size: policydb_str_len + valid: + expr: '(magic == magics::kernel and (_ == "SE Linux" or _ == "XenFlask")) or (magic == magics::module and _ == "SE Linux Module")' + - id: policy_type + type: u4 + enum: policy_types + if: 'magic == magics::module' + - id: policyvers + type: u4 + valid: + expr: '(magic == magics::kernel and 15 <= _ and _ <= 33) or (magic != magics::kernel and 4 <= _ and _ <= 21)' + - id: config + -orig-id: config + type: u4 + - id: symbols_count + -orig-id: sym_num + type: u4 + valid: + min: 5 + - id: object_contexts_count + -orig-id: ocon_num + type: u4 + valid: + min: 0 + max: 9 + - id: module_header + type: module_header + if: 'magic == magics::module' + - id: policycaps + type: extensible_bitmap + if: '(_root.type == policy_types::kernel and policyvers >= 22) or (policyvers >= 7)' + - id: permissive_map + type: extensible_bitmap + if: '(_root.type == policy_types::kernel and policyvers >= 23)' + - id: symbols + type: symbols + - id: access_vector_table + type: access_vector_table + if: '(_root.type == policy_types::kernel)' + - id: conditional_list + type: conditional_list + if: '_root.type == policy_types::kernel and policyvers >= 16' + - id: role_trans + type: role_trans + if: '_root.type == policy_types::kernel' + - id: role_allow + type: role_allow + if: '_root.type == policy_types::kernel' + - id: filename_trans + type: filename_trans + if: '_root.type == policy_types::kernel and policyvers >= 25' + - id: avrule_block + type: avrule_block + if: '_root.type != policy_types::kernel' + - id: scope_list + type: scope_list + repeat: expr + repeat-expr: _root.header.symbols_count + if: '_root.type != policy_types::kernel' + - id: ocontext_selinux + type: ocontext_selinux + if: '_root.target == targets::selinux' + - id: ocontext_xen + type: ocontext_xen + if: '_root.target == targets::xen' + - id: genfs + type: genfs + - id: range + type: range + if: '(_root.type == policy_types::kernel and policyvers >= 19) or (_root.type == policy_types::base and policyvers == 5)' + - id: type_attr_map + type: extensible_bitmap + repeat: expr + repeat-expr: symbols.types.primary_names_count + if: '_root.type == policy_types::kernel' + + + module_header: + seq: + - id: name_len + -orig-id: len + type: u4 + valid: + min: 1 + - id: name + type: str + encoding: ascii + size: name_len + - id: version_length + -orig-id: len # again + type: u4 + valid: + min: 1 + - id: version + type: str + encoding: ascii + size: version_length + + extensible_bitmap: # ebitmap_read + seq: + - id: mapsize + type: u4 + valid: 0x40 + - id: highbit + type: u4 + valid: + expr: 'highbit & 0x3F == 0' + - id: count + type: u4 + valid: + expr: 'not ((highbit > 0) and (_ == 0))' + - id: node + type: ebitmap_node + repeat: expr + repeat-expr: count + + ebitmap_node: + seq: + - id: startbit + type: u4 + - id: map + type: u8 + + symbols: + seq: + - id: commons + type: commons + - id: classes + type: classes + - id: roles + type: roles + - id: types + type: types + - id: users + type: users + # 5 symbols: all of them + - id: conditional_booleans + -orig-id: bools + type: bools + # 6 symbols: mod or base or kern[16-18] + if: '_root.header.symbols_count >= 6' + - id: security_levels + -orig-id: levels + type: levels + if: '_root.header.symbols_count >= 7' + - id: categories + -orig-id: cats + type: cats + # 8 symbols: mod or base or kern[19-] + if: '_root.header.symbols_count >= 8' + + commons: + seq: + - id: primary_names_count + -orig-id: nprim + type: u4 + - id: elements_count + -orig-id: nel + type: u4 + - id: common + type: common + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + classes: + seq: + - id: primary_names_count + -orig-id: nprim + type: u4 + - id: elements_count + -orig-id: nel + type: u4 + - id: class + type: class + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + roles: + seq: + - id: primary_names_count + -orig-id: nprim + type: u4 + - id: elements_count + -orig-id: nel + type: u4 + - id: role + type: role + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + types: + seq: + - id: primary_names_count + -orig-id: nprim + type: u4 + - id: elements_count + -orig-id: nel + type: u4 + - id: type + type: type + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + users: + seq: + - id: primary_names_count + -orig-id: nprim + type: u4 + - id: elements_count + -orig-id: nel + type: u4 + - id: user + type: user + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + bools: # cond_read_bools + seq: + - id: primary_names_count + -orig-id: nprim + type: u4 + - id: elements_count + -orig-id: nel + type: u4 + - id: bool + type: bool + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + levels: # sens_read + seq: + - id: primary_names_count + -orig-id: nprim + type: u4 + - id: elements_count + -orig-id: nel + type: u4 + - id: level + type: level + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + cats: # cat_read + seq: + - id: primary_names_count + -orig-id: nprim + type: u4 + - id: elements_count + -orig-id: nel + type: u4 + - id: cat + type: cat + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + common: # common_read + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: value + type: u4 + - id: primary_names_count + -orig-id: nprim + type: u4 + valid: + max: 32 + - id: elements_count + -orig-id: nel + type: u4 + - id: key + type: str + encoding: ascii + size: length + - id: permission + type: permission + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + permission: # perm_read + seq: + - id: length + -orig-id: len + type: u4 # validity not verified + - id: value + type: u4 + - id: key + type: str + encoding: ASCII + size: length + + class: # class_read + seq: + - id: key_length + -orig-id: len + type: u4 + valid: + min: 1 + - id: common_key_length + -orig-id: len2 + type: u4 + - id: value + type: u4 + - id: primary_names_count + -orig-id: perm_nprim + type: u4 + valid: + max: 32 + - id: elements_count + -orig-id: nel + type: u4 + - id: constraints_count + -orig-id: ncons + type: u4 + - id: key + type: str + encoding: ASCII + size: key_length + - id: common_key + type: str + encoding: ASCII + size: common_key_length + if: common_key_length > 0 + - id: permission + type: permission + repeat: expr + repeat-expr: elements_count + - id: constraints + -orig-id: constraints + type: constraint + repeat: expr + repeat-expr: constraints_count + + - id: validatetrans_count + -orig-id: ncons # yes, same name + type: u4 + if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::base and _root.version >= 5)' + - id: validatetrans + -orig-id: validatetrans + type: constraint + repeat: expr + repeat-expr: validatetrans_count + if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::base and _root.version >= 5)' + + - id: default_user + type: u4 + if: '(_root.type == policy_types::kernel and _root.version >= 27) or (_root.type == policy_types::base and _root.version >= 15)' + - id: default_role + type: u4 + if: '(_root.type == policy_types::kernel and _root.version >= 27) or (_root.type == policy_types::base and _root.version >= 15)' + - id: default_range + type: u4 + if: '(_root.type == policy_types::kernel and _root.version >= 27) or (_root.type == policy_types::base and _root.version >= 15)' + + - id: default_type + type: u4 + if: '(_root.type == policy_types::kernel and _root.version >= 28) or (_root.type == policy_types::base and _root.version >= 16)' + + constraint: # read_cons_helper + seq: + - id: permissions + type: u4 + - id: expressions_count + -orig-id: nexpr + type: u4 + - id: expression + type: expression + repeat: expr + repeat-expr: expressions_count + if: expressions_count > 0 + + expression: + seq: + - id: type + type: u4 + enum: expression_types + - id: attribute + -orig-id: attr + type: u4 + - id: operator + -orig-id: op + type: u4 + - id: names + type: extensible_bitmap + if: 'type == expression_types::names' + - id: type_names + type: type_set + if: 'type == expression_types::names and ((_root.type == policy_types::kernel and _root.version >= 29) or (_root.type != policy_types::kernel))' + + mls_range: # mls_read_range_helper + seq: + - id: items + type: u4 + - id: sensitivity0 + -orig-id: level[0].sens + type: u4 + - id: sensitivity1 + -orig-id: level[1].sens + type: u4 + if: items > 1 + - id: category0 + -orig-id: level[0].cat + type: extensible_bitmap + - id: category1 + -orig-id: level[1].cat + type: extensible_bitmap + if: items > 1 + + context: # context_read_and_validate + seq: + - id: user + type: u4 + - id: role + type: u4 + - id: type + type: u4 + - id: mls_range + type: mls_range + if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::base and _root.version >= 5)' + + role: # role_read + seq: + - id: length + -orig-id: len + type: u4 + - id: value + type: u4 + - id: bounds + type: u4 + if: '_root.boundary_feature' + - id: key + type: str + encoding: ascii + size: length + - id: dominates + type: extensible_bitmap + - id: types_eb + type: extensible_bitmap + if: _root.type == policy_types::kernel + - id: types_ts + type: type_set + if: not (_root.type == policy_types::kernel) + - id: flavor + type: u4 + if: '(_root.type != policy_types::kernel and _root.version >= 13)' + - id: roles + type: extensible_bitmap + if: '(_root.type != policy_types::kernel and _root.version >= 13)' + + type: # type_read + seq: + # 3: kern <= 23 + # 4: kern >= 24 or !kern <= 7 or !kern == 9 + # 5: !kern == 8 or !kern >= 10 + - id: length + -orig-id: len + type: u4 + - id: value + type: u4 + - id: primary + type: u4 + if: '(_root.boundary_feature and (_root.type != policy_types::kernel and _root.version >= 10)) or not _root.boundary_feature' + - id: properties + type: u4 + if: '_root.boundary_feature' + - id: bounds + type: u4 + if: '_root.boundary_feature' + - id: flavor + type: u4 + if: 'not _root.boundary_feature and (_root.type != policy_types::kernel)' + - id: flags + type: u4 + if: 'not _root.boundary_feature and (_root.type != policy_types::kernel and _root.version >= 8)' + - id: types + type: extensible_bitmap + if: '_root.type != policy_types::kernel' + - id: key + type: str + encoding: ASCII + size: length + + type_set: + seq: + - id: types + type: extensible_bitmap + - id: negset + type: extensible_bitmap + - id: flag + type: u4 + + user: # user_read + seq: + - id: length + -orig-id: len + type: u4 + - id: value + type: u4 + - id: bounds + type: u4 + if: _root.boundary_feature + - id: key + type: str + encoding: ASCII + size: length + - id: roles_eb + type: extensible_bitmap + if: '_root.type == policy_types::kernel' + - id: roles_rs + type: role_set + if: '_root.type != policy_types::kernel' + - id: exp_range + type: mls_range + if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::module and _root.version >= 5 and _root.version < 6) or (_root.type == policy_types::base and _root.version >= 5 and _root.version < 6)' + - id: exp_dftlevel + type: mls_level + if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::module and _root.version >= 5 and _root.version < 6) or (_root.type == policy_types::base and _root.version >= 5 and _root.version < 6)' + - id: range + type: mls_semantic_range + if: '(_root.type == policy_types::module or _root.type == policy_types::base) and (_root.version >= 6)' + - id: dfltlevel + type: mls_semantic_range + if: '(_root.type == policy_types::module or _root.type == policy_types::base) and (_root.version >= 6)' + + role_set: # role_set_read + seq: + - id: roles + type: extensible_bitmap + - id: flags + type: u4 + + mls_level: # mls_read_level + seq: + - id: sensitivity + -orig-id: sens + type: u4 + - id: category + -orig-id: cat + type: extensible_bitmap + + mls_semantic_range: # mls_read_semantic_range_helper + seq: + - id: level0 + type: mls_semantic_level + - id: level1 + type: mls_semantic_level + + mls_semantic_level: # mls_read_semantic_level_helper + seq: + - id: sensitivity + -orig-id: sens + type: u4 + - id: count + -orig-id: ncat + type: u4 + - id: category + -orig-id: cat + type: semantic_category + repeat: expr + repeat-expr: count + + semantic_category: + seq: + - id: low + type: u4 + - id: high + type: u4 + + bool: # cond_read_bool + seq: + - id: value + type: u4 + - id: state + type: u4 + - id: length + -orig-id: len + type: u4 + - id: key + type: str + size: length + encoding: ascii + - id: flags + type: u4 + if: '(_root.type != policy_types::kernel and _root.version >= 14)' + + + level: # sens_read + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: isalias + type: u4 + - id: key + type: str + encoding: ascii + size: length + - id: level + type: mls_level + + cat: # cat_read + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: value + type: u4 + - id: isalias + type: u4 + - id: key + type: str + encoding: ascii + size: length + + access_vector_table: # avtab_read + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: access_vector_old + type: access_vector_old + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 and _root.version < 20 + - id: access_vector + type: access_vector + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 and _root.version >= 20 + + + access_vector_old: # avtab_read_item + seq: + - id: total + -orig-id: items2 + type: u4 + valid: + min: 5 + max: 8 + - id: source_type + type: u4 + - id: target_type + type: u4 + - id: target_class + type: u4 + - id: value + -orig-id: val + type: u4 + - id: data + type: u4 + repeat: expr + repeat-expr: 8 + + access_vector: # avtab_read_item + seq: + - id: source_type + type: u2 + - id: target_type + type: u2 + - id: target_class + type: u2 + - id: specified + type: u2 + - id: xperms_specified + type: u1 + if: '(specified & 0x700) != 0' + - id: xperms_drivers + type: u1 + if: '(specified & 0x700) != 0' + - id: xperms_perms + type: u4 + if: '(specified & 0x700) != 0' + repeat: expr + repeat-expr: 8 + - id: data + type: u4 + if: '(specified & 0x700) == 0' + + conditional_list: # cond_read_list + seq: + - id: length + -orig-id: len + type: u4 + - id: conditional_node + type: conditional_node + repeat: expr + repeat-expr: length + + conditional_node: # cond_read_node + seq: + - id: current_state + -orig-id: cur_state + type: u4 + - id: length + -orig-id: len + type: u4 + - id: conditional_node_item + type: conditional_node_item + repeat: expr + repeat-expr: length + - id: true_list + type: cond_av_list + if: _root.type == policy_types::kernel + - id: false_list + type: cond_av_list + if: _root.type == policy_types::kernel + - id: avtrue_list + type: avrule_list + if: _root.type != policy_types::kernel + - id: avfalse_list + type: avrule_list + if: _root.type != policy_types::kernel + - id: flags + type: u4 + if: '_root.type != policy_types::kernel and _root.version >= 14' + + conditional_node_item: + seq: + - id: expr_type + type: u4 + - id: boolean + type: u4 + + cond_av_list: # cond_read_av_list + seq: + - id: length + -orig-id: len + type: u4 + - id: access_vector_old + type: access_vector_old + repeat: expr + repeat-expr: length + if: length > 0 and _root.version < 20 + - id: access_vector + type: access_vector + repeat: expr + repeat-expr: length + if: length > 0 and _root.version >= 20 + + avrule_list: # avrule_read_list + seq: + - id: length + -orig-id: len + type: u4 + - id: avrule + type: avrule + repeat: expr + repeat-expr: length + if: length > 0 + + avrule: # avrule_read + seq: + - id: specified + type: u4 + - id: flags + type: u4 + - id: stypes + type: type_set + - id: ttypes + type: type_set + - id: length + -orig-id: len + type: u4 + - id: avrule_item + type: avrule_item + repeat: expr + repeat-expr: length + if: length > 0 + - id: avrule_specified + type: avrule_specified + if: '(specified & (0x0100 | 0x0200 | 0x0400 | 0x0800)) != 0' + + avrule_item: # avrule_read + seq: + - id: tclass + type: u4 + - id: data + type: u4 + + avrule_specified: + seq: + - id: xperms_specified + type: u1 + - id: xperms_driver + type: u1 + - id: elements_count + -orig-id: nel + type: u4 + - id: perms + type: u4 + repeat: expr + repeat-expr: elements_count + + role_trans: # role_trans_read + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: role_trans_item + type: role_trans_item + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + role_trans_item: + seq: + - id: role + type: u4 + - id: type + type: u4 + - id: new_role + type: u4 + - id: tclass + type: u4 + if: '(_root.type == policy_types::kernel and _root.version >= 26)' + + role_allow: # role_allow_read + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: role_allow_item + type: role_allow_item + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + role_allow_item: + seq: + - id: role + type: u4 + - id: new_role + type: u4 + + filename_trans: # filename_trans_read + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: item_32 + type: filename_trans_item_old + repeat: expr + repeat-expr: elements_count + if: '(elements_count > 0) and (_root.version < 33)' + - id: item_33 + type: filename_trans_item + repeat: expr + repeat-expr: elements_count + if: '(elements_count > 0) and (_root.version >= 33)' + + filename_trans_item_old: # filename_trans_read_one_compat + seq: + - id: length + -orig-id: len + type: u4 + - id: name + type: str + encoding: ascii + size: length + - id: stype + type: u4 + - id: ttype + type: u4 + - id: tclass + type: u4 + - id: otype + type: u4 + + + filename_trans_item: # filename_trans_read_one + seq: + - id: length + -orig-id: len + type: u4 + - id: name + type: str + encoding: ascii + size: length + - id: ttype + type: u4 + - id: tclass + type: u4 + - id: count + -orig-id: ndatum + type: u4 + valid: + min: 1 + - id: item + type: filename_trans_item_item + repeat: expr + repeat-expr: count + + filename_trans_item_item: + seq: + - id: stypes + type: extensible_bitmap + - id: otype + type: u4 + + avrule_block: # avrule_block_read + seq: + - id: count + -orig-id: num_blocks + type: u4 + - id: avrule_block_item + type: avrule_block_item + repeat: expr + repeat-expr: count + + avrule_block_item: + seq: + - id: num_decls + type: u4 + - id: curdecl + type: avrule_decl + repeat: expr + repeat-expr: num_decls + if: num_decls > 0 + + avrule_decl: # avrule_decl_read + seq: + - id: decl_id + type: u4 + - id: enabled + type: u4 + - id: cond_list + type: conditional_list + - id: avrules + type: avrule_list + - id: role_tr_rules + type: role_trans_rule + - id: role_allow_rules + type: role_allow_rule + + - id: filename_trans_rules + type: filename_trans_rule + if: _root.version >= 11 + - id: range_tr_rules + type: range_trans_rule + if: _root.version >= 6 + - id: required + type: scope_index + - id: declared + type: scope_index + - id: symbols + type: symbols + + role_trans_rule: # role_trans_rule_read + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: item + type: role_trans_rule_item + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + role_trans_rule_item: + seq: + - id: roles + type: role_set + - id: types + type: role_set + - id: classes + type: extensible_bitmap + if: _root.version >= 12 + - id: new_role + type: u4 + + role_allow_rule: # role_allow_rule_read + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: role_allow_rule_item + type: common + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + role_allow_rule_item: + seq: + - id: roles + type: role_set + - id: new_roles + type: role_set + + filename_trans_rule: # filename_trans_rule_read + seq: + - id: count + type: u4 + - id: item + type: filename_trans_rule_item + repeat: expr + repeat-expr: count + + filename_trans_rule_item: + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: name + type: str + encoding: ascii + size: length + - id: stypes + type: type_set + - id: ttypes + type: type_set + - id: tclass + type: u4 + - id: otype + type: u4 + - id: flags + type: u4 + if: _root.version >= 21 + + + range_trans_rule: # range_trans_rule_read + seq: + - id: count + -orig-id: nel + type: u4 + - id: item + type: range_trans_rule_item + repeat: expr + repeat-expr: count + + range_trans_rule_item: + seq: + - id: stypes + type: type_set + - id: ttypes + type: type_set + - id: tclasses + type: extensible_bitmap + - id: trange + type: mls_semantic_range + + scope_index: # scope_index_read + seq: + - id: scope + type: extensible_bitmap + repeat: expr + repeat-expr: _root.header.symbols_count + - id: class_perms_len + type: u4 + valid: + min: 0 + - id: class_perms_map + type: extensible_bitmap + repeat: expr + repeat-expr: class_perms_len + + scope_list: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: scope + type: scope + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + scope: # scope_read + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: key + type: str + encoding: ascii + size: length + - id: scope + type: u4 + - id: decl_ids_len + type: u4 + valid: + min: 1 + - id: decl_id + type: u4 + repeat: expr + repeat-expr: decl_ids_len + + ocontext_selinux: # ocontext_read_selinux + seq: + - id: initial_sids + type: initial_sids + if: '_root.header.object_contexts_count >= 1' + - id: filesystems + type: filesystems + if: '_root.header.object_contexts_count >= 2' + - id: ports + type: ports + if: '_root.header.object_contexts_count >= 3' + - id: network_interfaces + type: filesystems # same + if: '_root.header.object_contexts_count >= 4' + - id: nodes + type: nodes + if: '_root.header.object_contexts_count >= 5' + - id: fsuses + type: fsuses + if: '_root.header.object_contexts_count >= 6' + - id: nodes6 + type: nodes6 + if: '_root.header.object_contexts_count >= 7' + - id: ibpkeys + type: ibpkeys + if: '_root.header.object_contexts_count >= 8' + - id: ibpendports + type: ibpendports + if: '_root.header.object_contexts_count >= 9' + + initial_sids: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: initial_sid + type: initial_sid + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + initial_sid: + seq: + - id: sid0 + type: u4 + - id: context0 + type: context + + filesystems: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: filesystem + type: filesystem + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + filesystem: + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: key + type: str + encoding: ascii + size: length + - id: context0 + type: context + - id: context1 + type: context + + ports: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: port + type: port + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + port: + seq: + - id: protocol + type: u4 + - id: low_port + type: u4 + - id: high_port + type: u4 + - id: context + type: context + + nodes: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: node + type: node + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + node: + seq: + - id: addr + type: u4 + - id: mask + type: u4 + - id: context + type: context + + fsuses: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: fsuse + type: fsuse + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + fsuse: + seq: + - id: behavior + type: u4 + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: name + type: str + encoding: ascii + size: length + - id: context + type: context + + nodes6: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: node6 + type: node6 + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + node6: + seq: + - id: addr + type: u4 + repeat: expr + repeat-expr: 4 + - id: mask + type: u4 + repeat: expr + repeat-expr: 4 + - id: context + type: context + + ibpkeys: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: ibpkey + type: ibpkey + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + ibpkey: + seq: + - id: low_pkey + type: u4 + - id: high_pkey + type: u4 + - id: context + type: context + + ibpendports: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: ibpendport + type: ibpendport + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + ibpendport: + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: port + type: u4 + - id: dev_name + type: str + encoding: ascii + size: length + - id: context + type: context + + + ocontext_xen: # ocontext_read_xen + seq: + - id: xen_isids + type: xen_isids + if: '_root.header.object_contexts_count >= 1' + - id: xen_pirqs + type: xen_pirqs + if: '_root.header.object_contexts_count >= 2' + - id: xen_ioports + type: xen_ioports + if: '_root.header.object_contexts_count >= 3' + - id: xen_iomems + type: xen_iomems + if: '_root.header.object_contexts_count >= 4' + - id: xen_pcidevices + type: xen_pcidevices + if: '_root.header.object_contexts_count >= 5' + - id: xen_devicetrees + type: xen_devicetrees + if: '_root.header.object_contexts_count >= 6' + + xen_isids: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: xen_isid + type: xen_isid + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + xen_isid: + seq: + - id: sid0 + type: u4 + - id: context0 + type: context + + xen_pirqs: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: xen_pirq + type: xen_pirq + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + xen_pirq: + seq: + - id: pirq + type: u4 + - id: context0 + type: context + + xen_ioports: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: xen_ioport + type: xen_ioport + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + xen_ioport: + seq: + - id: low_port + type: u4 + - id: high_port + type: u4 + - id: context0 + type: context + + xen_iomems: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: xen_iomem + type: xen_iomem + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + xen_iomem: + seq: + - id: low_iomem64 + type: u8 + if: '_root.version >= 30' + - id: high_iomem64 + type: u8 + if: '_root.version >= 30' + - id: low_iomem32 + type: u4 + if: '_root.version < 30' + - id: high_iomem32 + type: u4 + if: '_root.version < 30' + - id: context0 + type: context + + xen_pcidevices: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: xen_pcidevice + type: xen_pcidevice + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + xen_pcidevice: + seq: + - id: device + type: u4 + - id: context0 + type: context + + + xen_devicetrees: + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: xen_devicetree + type: xen_devicetree + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + xen_devicetree: + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: name + type: str + encoding: ascii + size: length + - id: context0 + type: context + + genfs: # genfs_read + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: items + type: genfs_item + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + genfs_item: + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: fstype + type: str + encoding: ascii + size: length + - id: elements_count + -orig-id: nel2 + type: u4 + - id: items + type: genfs2_item + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + genfs2_item: + seq: + - id: length + -orig-id: len + type: u4 + valid: + min: 1 + - id: name + type: str + encoding: ascii + size: length + - id: sclass + type: u4 + - id: context0 + type: context + + range: # range_read + seq: + - id: elements_count + -orig-id: nel + type: u4 + - id: items + type: range_item + repeat: expr + repeat-expr: elements_count + if: elements_count > 0 + + range_item: + seq: + - id: source_type + type: u4 + - id: target_type + type: u4 + - id: target_class + type: u4 + if: '_root.type == policy_types::kernel and _root.version >= 21' + - id: range_tr + type: mls_range diff --git a/security/selinuxpp.ksy b/security/selinux_policy_package.ksy similarity index 62% rename from security/selinuxpp.ksy rename to security/selinux_policy_package.ksy index 47b3077b5..e32929f32 100644 --- a/security/selinuxpp.ksy +++ b/security/selinux_policy_package.ksy @@ -1,12 +1,11 @@ meta: - id: selinux - title: SELinux file policy package binary + id: selinux_policy_package + title: SELinux policy package file-extension: pp license: CC0-1.0 encoding: ASCII endian: le -doc-ref: | - https://github.com/SELinuxProject/selinux/blob/master/libsepol/src/module.c +doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019ed9e3b9a9e3e62ae378f99282990976a2/libsepol/src/module.c seq: - id: magic contents: [0x8f, 0xff, 0x7c, 0xf9] @@ -28,15 +27,17 @@ types: type: u4 instances: section_magic: - type: u4 - enum: section_magics io: _root._io pos: offset + type: u4 + enum: section_magics enums: section_magics: - 0xf97cff90: file_context # -orig-id: fc - 0xf97cff8d: module - 0x097cff91: user - 0x097cff92: user_extra - 0x097cff93: netfilter + 0xf97c_ff90: + id: file_context + -orig-id: fc + 0xf97c_ff8d: module + 0x097c_ff91: user + 0x097c_ff92: user_extra + 0x097c_ff93: netfilter From 01c877c4b75f878cd7c7299a1ac08bdd209d665e Mon Sep 17 00:00:00 2001 From: Ange Date: Fri, 14 Jul 2023 11:17:56 +0200 Subject: [PATCH 3/5] added doc-refs, removed null count checks --- security/selinux_policy_binary.ksy | 171 ++++++++++++++++------------- 1 file changed, 93 insertions(+), 78 deletions(-) diff --git a/security/selinux_policy_binary.ksy b/security/selinux_policy_binary.ksy index 42512c0c6..aa9b99335 100644 --- a/security/selinux_policy_binary.ksy +++ b/security/selinux_policy_binary.ksy @@ -44,7 +44,8 @@ enums: types: - header: # policydb_read + header: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L4225 policydb_read seq: - id: magic type: u4 @@ -157,7 +158,8 @@ types: encoding: ascii size: version_length - extensible_bitmap: # ebitmap_read + extensible_bitmap: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/ebitmap.c#L539 ebitmap_read seq: - id: mapsize type: u4 @@ -222,7 +224,6 @@ types: type: common repeat: expr repeat-expr: elements_count - if: elements_count > 0 classes: seq: @@ -236,7 +237,6 @@ types: type: class repeat: expr repeat-expr: elements_count - if: elements_count > 0 roles: seq: @@ -250,7 +250,6 @@ types: type: role repeat: expr repeat-expr: elements_count - if: elements_count > 0 types: seq: @@ -264,7 +263,6 @@ types: type: type repeat: expr repeat-expr: elements_count - if: elements_count > 0 users: seq: @@ -278,9 +276,9 @@ types: type: user repeat: expr repeat-expr: elements_count - if: elements_count > 0 - bools: # cond_read_bools + bools: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/conditional.c#L567 cond_read_bool seq: - id: primary_names_count -orig-id: nprim @@ -292,9 +290,9 @@ types: type: bool repeat: expr repeat-expr: elements_count - if: elements_count > 0 - levels: # sens_read + levels: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3414 sens_read seq: - id: primary_names_count -orig-id: nprim @@ -306,9 +304,9 @@ types: type: level repeat: expr repeat-expr: elements_count - if: elements_count > 0 - cats: # cat_read + cats: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3460 cat_read seq: - id: primary_names_count -orig-id: nprim @@ -320,9 +318,9 @@ types: type: cat repeat: expr repeat-expr: elements_count - if: elements_count > 0 - common: # common_read + common: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2093 common_read seq: - id: length -orig-id: len @@ -347,13 +345,13 @@ types: type: permission repeat: expr repeat-expr: elements_count - if: elements_count > 0 - permission: # perm_read + permission: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2057 perm_read seq: - id: length -orig-id: len - type: u4 # validity not verified + type: u4 - id: value type: u4 - id: key @@ -361,7 +359,8 @@ types: encoding: ASCII size: length - class: # class_read + class: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2241 class_read seq: - id: key_length -orig-id: len @@ -459,7 +458,8 @@ types: type: type_set if: 'type == expression_types::names and ((_root.type == policy_types::kernel and _root.version >= 29) or (_root.type != policy_types::kernel))' - mls_range: # mls_read_range_helper + mls_range: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L1850 mls_read_range_helper seq: - id: items type: u4 @@ -478,7 +478,8 @@ types: type: extensible_bitmap if: items > 1 - context: # context_read_and_validate + context: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#2018 context_read_and_validate seq: - id: user type: u4 @@ -490,7 +491,8 @@ types: type: mls_range if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::base and _root.version >= 5)' - role: # role_read + role: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2352 role_read seq: - id: length -orig-id: len @@ -519,7 +521,8 @@ types: type: extensible_bitmap if: '(_root.type != policy_types::kernel and _root.version >= 13)' - type: # type_read + type: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#2431 type_read seq: # 3: kern <= 23 # 4: kern >= 24 or !kern <= 7 or !kern == 9 @@ -561,7 +564,8 @@ types: - id: flag type: u4 - user: # user_read + user: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3327 user_read seq: - id: length -orig-id: len @@ -594,14 +598,16 @@ types: type: mls_semantic_range if: '(_root.type == policy_types::module or _root.type == policy_types::base) and (_root.version >= 6)' - role_set: # role_set_read + role_set: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L1813 role_set_read seq: - id: roles type: extensible_bitmap - id: flags type: u4 - mls_level: # mls_read_level + mls_level: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3303 mls_read_level seq: - id: sensitivity -orig-id: sens @@ -610,14 +616,16 @@ types: -orig-id: cat type: extensible_bitmap - mls_semantic_range: # mls_read_semantic_range_helper + mls_semantic_range: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L1955 mls_read_semantic_range_helper seq: - id: level0 type: mls_semantic_level - id: level1 type: mls_semantic_level - mls_semantic_level: # mls_read_semantic_level_helper + mls_semantic_level: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L1907 mls_read_semantic_level_helper seq: - id: sensitivity -orig-id: sens @@ -638,7 +646,8 @@ types: - id: high type: u4 - bool: # cond_read_bool + bool: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L567 cond_read_bool seq: - id: value type: u4 @@ -656,7 +665,8 @@ types: if: '(_root.type != policy_types::kernel and _root.version >= 14)' - level: # sens_read + level: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3414 sens_read seq: - id: length -orig-id: len @@ -672,7 +682,8 @@ types: - id: level type: mls_level - cat: # cat_read + cat: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3460 cat_read seq: - id: length -orig-id: len @@ -688,7 +699,8 @@ types: encoding: ascii size: length - access_vector_table: # avtab_read + access_vector_table: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/avtab.c#L591 avtab_read seq: - id: elements_count -orig-id: nel @@ -705,7 +717,8 @@ types: if: elements_count > 0 and _root.version >= 20 - access_vector_old: # avtab_read_item + access_vector_old: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/avtab.c#L434 avtab_read_item seq: - id: total -orig-id: items2 @@ -727,7 +740,8 @@ types: repeat: expr repeat-expr: 8 - access_vector: # avtab_read_item + access_vector: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/avtab.c#L572 avtab_read_item seq: - id: source_type type: u2 @@ -752,7 +766,8 @@ types: type: u4 if: '(specified & 0x700) == 0' - conditional_list: # cond_read_list + conditional_list: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/conditional.c#L821 cond_read_list seq: - id: length -orig-id: len @@ -762,7 +777,8 @@ types: repeat: expr repeat-expr: length - conditional_node: # cond_read_node + conditional_node: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/conditional.c#L747 cond_read_node seq: - id: current_state -orig-id: cur_state @@ -797,7 +813,8 @@ types: - id: boolean type: u4 - cond_av_list: # cond_read_av_list + cond_av_list: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/conditional.c#L696 cond_read_av_list seq: - id: length -orig-id: len @@ -813,7 +830,8 @@ types: repeat-expr: length if: length > 0 and _root.version >= 20 - avrule_list: # avrule_read_list + avrule_list: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3716 avrule_read_list seq: - id: length -orig-id: len @@ -824,7 +842,8 @@ types: repeat-expr: length if: length > 0 - avrule: # avrule_read + avrule: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3510 avrule_read seq: - id: specified type: u4 @@ -846,7 +865,8 @@ types: type: avrule_specified if: '(specified & (0x0100 | 0x0200 | 0x0400 | 0x0800)) != 0' - avrule_item: # avrule_read + avrule_item: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3510 avrule_read seq: - id: tclass type: u4 @@ -867,7 +887,8 @@ types: repeat: expr repeat-expr: elements_count - role_trans: # role_trans_read + role_trans: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3716 role_trans_read seq: - id: elements_count -orig-id: nel @@ -876,7 +897,6 @@ types: type: role_trans_item repeat: expr repeat-expr: elements_count - if: elements_count > 0 role_trans_item: seq: @@ -890,7 +910,8 @@ types: type: u4 if: '(_root.type == policy_types::kernel and _root.version >= 26)' - role_allow: # role_allow_read + role_allow: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2567 role_allow_read seq: - id: elements_count -orig-id: nel @@ -899,7 +920,6 @@ types: type: role_allow_item repeat: expr repeat-expr: elements_count - if: elements_count > 0 role_allow_item: seq: @@ -908,7 +928,8 @@ types: - id: new_role type: u4 - filename_trans: # filename_trans_read + filename_trans: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2845 filename_trans_read seq: - id: elements_count -orig-id: nel @@ -924,7 +945,8 @@ types: repeat-expr: elements_count if: '(elements_count > 0) and (_root.version >= 33)' - filename_trans_item_old: # filename_trans_read_one_compat + filename_trans_item_old: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2674 filename_trans_read_one_compat seq: - id: length -orig-id: len @@ -943,7 +965,8 @@ types: type: u4 - filename_trans_item: # filename_trans_read_one + filename_trans_item: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2756 filename_trans_read_one seq: - id: length -orig-id: len @@ -973,7 +996,8 @@ types: - id: otype type: u4 - avrule_block: # avrule_block_read + avrule_block: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L4030 avrule_block_read seq: - id: count -orig-id: num_blocks @@ -993,7 +1017,8 @@ types: repeat-expr: num_decls if: num_decls > 0 - avrule_decl: # avrule_decl_read + avrule_decl: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3980 avrule_decl_read seq: - id: decl_id type: u4 @@ -1021,7 +1046,8 @@ types: - id: symbols type: symbols - role_trans_rule: # role_trans_rule_read + role_trans_rule: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3749 role_trans_rule_read seq: - id: elements_count -orig-id: nel @@ -1030,7 +1056,6 @@ types: type: role_trans_rule_item repeat: expr repeat-expr: elements_count - if: elements_count > 0 role_trans_rule_item: seq: @@ -1044,7 +1069,8 @@ types: - id: new_role type: u4 - role_allow_rule: # role_allow_rule_read + role_allow_rule: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3801 role_allow_rule_read seq: - id: elements_count -orig-id: nel @@ -1053,7 +1079,6 @@ types: type: common repeat: expr repeat-expr: elements_count - if: elements_count > 0 role_allow_rule_item: seq: @@ -1062,7 +1087,8 @@ types: - id: new_roles type: role_set - filename_trans_rule: # filename_trans_rule_read + filename_trans_rule: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3837 filename_trans_rule_read seq: - id: count type: u4 @@ -1095,7 +1121,8 @@ types: if: _root.version >= 21 - range_trans_rule: # range_trans_rule_read + range_trans_rule: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3903 range_trans_rule_read seq: - id: count -orig-id: nel @@ -1116,7 +1143,8 @@ types: - id: trange type: mls_semantic_range - scope_index: # scope_index_read + scope_index: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3945 scope_index_read seq: - id: scope type: extensible_bitmap @@ -1140,9 +1168,9 @@ types: type: scope repeat: expr repeat-expr: elements_count - if: elements_count > 0 - scope: # scope_read + scope: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L4108 scope_read seq: - id: length -orig-id: len @@ -1164,7 +1192,8 @@ types: repeat: expr repeat-expr: decl_ids_len - ocontext_selinux: # ocontext_read_selinux + ocontext_selinux: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2983 ocontext_read_selinux seq: - id: initial_sids type: initial_sids @@ -1203,7 +1232,6 @@ types: type: initial_sid repeat: expr repeat-expr: elements_count - if: elements_count > 0 initial_sid: seq: @@ -1221,7 +1249,6 @@ types: type: filesystem repeat: expr repeat-expr: elements_count - if: elements_count > 0 filesystem: seq: @@ -1248,7 +1275,6 @@ types: type: port repeat: expr repeat-expr: elements_count - if: elements_count > 0 port: seq: @@ -1270,7 +1296,6 @@ types: type: node repeat: expr repeat-expr: elements_count - if: elements_count > 0 node: seq: @@ -1290,7 +1315,6 @@ types: type: fsuse repeat: expr repeat-expr: elements_count - if: elements_count > 0 fsuse: seq: @@ -1317,7 +1341,6 @@ types: type: node6 repeat: expr repeat-expr: elements_count - if: elements_count > 0 node6: seq: @@ -1341,7 +1364,6 @@ types: type: ibpkey repeat: expr repeat-expr: elements_count - if: elements_count > 0 ibpkey: seq: @@ -1361,7 +1383,6 @@ types: type: ibpendport repeat: expr repeat-expr: elements_count - if: elements_count > 0 ibpendport: seq: @@ -1380,7 +1401,8 @@ types: type: context - ocontext_xen: # ocontext_read_xen + ocontext_xen: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2872 ocontext_read_xen seq: - id: xen_isids type: xen_isids @@ -1410,7 +1432,6 @@ types: type: xen_isid repeat: expr repeat-expr: elements_count - if: elements_count > 0 xen_isid: seq: @@ -1428,7 +1449,6 @@ types: type: xen_pirq repeat: expr repeat-expr: elements_count - if: elements_count > 0 xen_pirq: seq: @@ -1446,7 +1466,6 @@ types: type: xen_ioport repeat: expr repeat-expr: elements_count - if: elements_count > 0 xen_ioport: seq: @@ -1466,7 +1485,6 @@ types: type: xen_iomem repeat: expr repeat-expr: elements_count - if: elements_count > 0 xen_iomem: seq: @@ -1494,7 +1512,6 @@ types: type: xen_pcidevice repeat: expr repeat-expr: elements_count - if: elements_count > 0 xen_pcidevice: seq: @@ -1513,7 +1530,6 @@ types: type: xen_devicetree repeat: expr repeat-expr: elements_count - if: elements_count > 0 xen_devicetree: seq: @@ -1529,7 +1545,8 @@ types: - id: context0 type: context - genfs: # genfs_read + genfs: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3180 genfs_read seq: - id: elements_count -orig-id: nel @@ -1538,7 +1555,6 @@ types: type: genfs_item repeat: expr repeat-expr: elements_count - if: elements_count > 0 genfs_item: seq: @@ -1558,7 +1574,6 @@ types: type: genfs2_item repeat: expr repeat-expr: elements_count - if: elements_count > 0 genfs2_item: seq: @@ -1576,7 +1591,8 @@ types: - id: context0 type: context - range: # range_read + range: + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.#L3620 range_read seq: - id: elements_count -orig-id: nel @@ -1585,7 +1601,6 @@ types: type: range_item repeat: expr repeat-expr: elements_count - if: elements_count > 0 range_item: seq: From 7080b4ed64c6851a83e49d43f5f0fa290aefde62 Mon Sep 17 00:00:00 2001 From: Ange Date: Fri, 14 Jul 2023 19:58:12 +0200 Subject: [PATCH 4/5] Docs and indentation --- security/selinux_policy_binary.ksy | 7 +++++++ security/selinux_policy_package.ksy | 9 ++++++--- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/security/selinux_policy_binary.ksy b/security/selinux_policy_binary.ksy index aa9b99335..ec1bfeee5 100644 --- a/security/selinux_policy_binary.ksy +++ b/security/selinux_policy_binary.ksy @@ -5,6 +5,13 @@ meta: license: CC0-1.0 encoding: ASCII endian: le +doc: | + This format is the result of compiled policies. + This format has no specification. + The source of truth is the code of its library: one reader and one writer. + The same parser handles together 3 file types: kernel, module and base, + with 2 ranges of versions: 15-33 for kernel, and 4-21 for base or module files, and 2 systems: Linux or Xen. + doc-ref: - https://github.com/SELinuxProject/selinux/blob/820f019ed9e3b9a9e3e62ae378f99282990976a2/libsepol/src/policydb.c - https://github.com/SELinuxProject/selinux/blob/820f019ed9e3b9a9e3e62ae378f99282990976a2/libsepol/src/write.c diff --git a/security/selinux_policy_package.ksy b/security/selinux_policy_package.ksy index e32929f32..68bf89b15 100644 --- a/security/selinux_policy_package.ksy +++ b/security/selinux_policy_package.ksy @@ -5,6 +5,9 @@ meta: license: CC0-1.0 encoding: ASCII endian: le +doc: | + This format is used to store together various policies files as sections. + This format has no specification. The source of truth is the code of its library. doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019ed9e3b9a9e3e62ae378f99282990976a2/libsepol/src/module.c seq: - id: magic @@ -22,9 +25,9 @@ seq: types: section: seq: - - id: offset - -orig-id: off - type: u4 + - id: offset + -orig-id: off + type: u4 instances: section_magic: io: _root._io From 276d40865d15e99dae0af3814e0d562ce11ef2b1 Mon Sep 17 00:00:00 2001 From: Ange Date: Mon, 24 Jul 2023 13:05:31 +0200 Subject: [PATCH 5/5] encoding, conditionals, conventions, header flattening... --- security/selinux_policy_binary.ksy | 807 ++++++++++++++-------------- security/selinux_policy_package.ksy | 10 +- 2 files changed, 407 insertions(+), 410 deletions(-) diff --git a/security/selinux_policy_binary.ksy b/security/selinux_policy_binary.ksy index ec1bfeee5..3a1251dca 100644 --- a/security/selinux_policy_binary.ksy +++ b/security/selinux_policy_binary.ksy @@ -16,20 +16,119 @@ doc-ref: - https://github.com/SELinuxProject/selinux/blob/820f019ed9e3b9a9e3e62ae378f99282990976a2/libsepol/src/policydb.c - https://github.com/SELinuxProject/selinux/blob/820f019ed9e3b9a9e3e62ae378f99282990976a2/libsepol/src/write.c seq: - - id: header - type: header + - id: magic + type: u4 + enum: magics + valid: + any-of: + - magics::kernel + - magics::module + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L4225 policydb_read + - id: len_policydb + -orig-id: len + type: u4 + valid: + min: 1 + min: 32 + - id: policydb + -orig-id: policydb_str + type: str + size: len_policydb + valid: + expr: '(magic == magics::kernel and (_ == "SE Linux" or _ == "XenFlask")) or (magic == magics::module and _ == "SE Linux Module")' + - id: policy_type + type: u4 + enum: policy_types + if: 'magic == magics::module' + - id: policy_version + -orig-id: policyvers + type: u4 + valid: + min: 'magic == magics::kernel ? 15 : 4' + max: 'magic == magics::kernel ? 33 : 21' + - id: config + -orig-id: config + type: u4 + - id: num_symbols + -orig-id: sym_num + type: u4 + valid: + min: 5 + - id: object_contexts_count + -orig-id: ocon_num + type: u4 + valid: + min: 0 + max: 9 + - id: module_header + type: module_header + if: 'magic == magics::module' + - id: policy_capabilities + -orig-id: policycaps + type: extensible_bitmap + if: '(_root.type_ == policy_types::kernel and policy_version >= 22) or (policy_version >= 7)' + - id: permissive_map + type: extensible_bitmap + if: '(_root.type_ == policy_types::kernel and policy_version >= 23)' + - id: symbols + type: symbols + - id: access_vector_table + type: access_vector_table + if: '(_root.type_ == policy_types::kernel)' + - id: conditional_list + type: conditional_list + if: '_root.type_ == policy_types::kernel and policy_version >= 16' + - id: role_trans + type: role_trans + if: '_root.type_ == policy_types::kernel' + - id: role_allow + type: role_allow + if: '_root.type_ == policy_types::kernel' + - id: filename_trans + type: filename_trans + if: '_root.type_ == policy_types::kernel and policy_version >= 25' + - id: avrule_block + type: avrule_block + if: '_root.type_ != policy_types::kernel' + - id: scope_list + type: scope_list + repeat: expr + repeat-expr: _root.num_symbols + if: '_root.type_ != policy_types::kernel' + - id: ocontext_selinux + type: ocontext_selinux + if: '_root.target == targets::selinux' + - id: ocontext_xen + type: ocontext_xen + if: '_root.target == targets::xen' + - id: genfs + type: genfs + - id: range + type: range + if: '(_root.type_ == policy_types::kernel and policy_version >= 19) or (_root.type_ == policy_types::base and policy_version == 5)' + - id: type_attr_map + type: extensible_bitmap + repeat: expr + repeat-expr: symbols.types.num_primary_names + if: '_root.type_ == policy_types::kernel' instances: boundary_feature: # policydb_has_boundary_feature - value: '(_root.type == policy_types::kernel and _root.version >= 24) or (_root.type != policy_types::kernel and _root.version >= 9)' + value: | + (_root.type_ == policy_types::kernel and _root.version >= 24) or + (_root.type_ != policy_types::kernel and _root.version >= 9) version: - value: 'header.policyvers' - type: - value: 'header.magic == magics::kernel ? policy_types::kernel : (header.policy_type == policy_types::module ? policy_types::module : policy_types::base)' + value: '_root.policy_version' + type_: + value: | + _root.magic == magics::kernel ? policy_types::kernel : + (_root.policy_type == policy_types::module ? policy_types::module : policy_types::base) target: - value: 'header.magic == magics::kernel and header.policydb_str == "XenFlask" ? targets::xen : targets::selinux' + value: | + _root.magic == magics::kernel and _root.policydb == "XenFlask" ? + targets::xen : targets::selinux mls: - value: 'header.config & 1' + value: '_root.config & 1' enums: magics: @@ -51,119 +150,24 @@ enums: types: - header: - doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L4225 policydb_read - seq: - - id: magic - type: u4 - enum: magics - valid: - any-of: - - magics::kernel - - magics::module - - id: policydb_str_len - -orig-id: len - type: u4 - - id: policydb_str - type: str - encoding: ascii - size: policydb_str_len - valid: - expr: '(magic == magics::kernel and (_ == "SE Linux" or _ == "XenFlask")) or (magic == magics::module and _ == "SE Linux Module")' - - id: policy_type - type: u4 - enum: policy_types - if: 'magic == magics::module' - - id: policyvers - type: u4 - valid: - expr: '(magic == magics::kernel and 15 <= _ and _ <= 33) or (magic != magics::kernel and 4 <= _ and _ <= 21)' - - id: config - -orig-id: config - type: u4 - - id: symbols_count - -orig-id: sym_num - type: u4 - valid: - min: 5 - - id: object_contexts_count - -orig-id: ocon_num - type: u4 - valid: - min: 0 - max: 9 - - id: module_header - type: module_header - if: 'magic == magics::module' - - id: policycaps - type: extensible_bitmap - if: '(_root.type == policy_types::kernel and policyvers >= 22) or (policyvers >= 7)' - - id: permissive_map - type: extensible_bitmap - if: '(_root.type == policy_types::kernel and policyvers >= 23)' - - id: symbols - type: symbols - - id: access_vector_table - type: access_vector_table - if: '(_root.type == policy_types::kernel)' - - id: conditional_list - type: conditional_list - if: '_root.type == policy_types::kernel and policyvers >= 16' - - id: role_trans - type: role_trans - if: '_root.type == policy_types::kernel' - - id: role_allow - type: role_allow - if: '_root.type == policy_types::kernel' - - id: filename_trans - type: filename_trans - if: '_root.type == policy_types::kernel and policyvers >= 25' - - id: avrule_block - type: avrule_block - if: '_root.type != policy_types::kernel' - - id: scope_list - type: scope_list - repeat: expr - repeat-expr: _root.header.symbols_count - if: '_root.type != policy_types::kernel' - - id: ocontext_selinux - type: ocontext_selinux - if: '_root.target == targets::selinux' - - id: ocontext_xen - type: ocontext_xen - if: '_root.target == targets::xen' - - id: genfs - type: genfs - - id: range - type: range - if: '(_root.type == policy_types::kernel and policyvers >= 19) or (_root.type == policy_types::base and policyvers == 5)' - - id: type_attr_map - type: extensible_bitmap - repeat: expr - repeat-expr: symbols.types.primary_names_count - if: '_root.type == policy_types::kernel' - - module_header: seq: - - id: name_len + - id: len_name -orig-id: len type: u4 valid: min: 1 - id: name type: str - encoding: ascii - size: name_len - - id: version_length + size: len_name + - id: len_version -orig-id: len # again type: u4 valid: min: 1 - id: version type: str - encoding: ascii - size: version_length + size: len_version extensible_bitmap: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/ebitmap.c#L539 ebitmap_read @@ -174,15 +178,15 @@ types: - id: highbit type: u4 valid: - expr: 'highbit & 0x3F == 0' - - id: count + expr: '_ & 0x3F == 0' + - id: num_nodes type: u4 valid: - expr: 'not ((highbit > 0) and (_ == 0))' - - id: node + expr: 'not ((highbit != 0) and (_ == 0))' + - id: nodes type: ebitmap_node repeat: expr - repeat-expr: count + repeat-expr: num_nodes ebitmap_node: seq: @@ -200,7 +204,7 @@ types: - id: roles type: roles - id: types - type: types + type: types_ - id: users type: users # 5 symbols: all of them @@ -208,244 +212,241 @@ types: -orig-id: bools type: bools # 6 symbols: mod or base or kern[16-18] - if: '_root.header.symbols_count >= 6' + if: '_root.num_symbols >= 6' - id: security_levels -orig-id: levels type: levels - if: '_root.header.symbols_count >= 7' + if: '_root.num_symbols >= 7' - id: categories -orig-id: cats type: cats # 8 symbols: mod or base or kern[19-] - if: '_root.header.symbols_count >= 8' + if: '_root.num_symbols >= 8' commons: seq: - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: common + - id: commons type: common repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements classes: seq: - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: class + - id: classes type: class repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements roles: seq: - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: role + - id: roles type: role repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements - types: + types_: seq: - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: type - type: type + - id: types + type: type_ repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements users: seq: - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: user + - id: users type: user repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements bools: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/conditional.c#L567 cond_read_bool seq: - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: bool + - id: bools type: bool repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements levels: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3414 sens_read seq: - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: level + - id: levels type: level repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements cats: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3460 cat_read seq: - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: cat + - id: cats type: cat repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements common: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2093 common_read seq: - - id: length + - id: len_key -orig-id: len type: u4 valid: min: 1 - id: value type: u4 - - id: primary_names_count + - id: num_primary_names -orig-id: nprim type: u4 valid: max: 32 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - id: key type: str - encoding: ascii - size: length - - id: permission + size: len_key + - id: permissions type: permission repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements permission: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2057 perm_read seq: - - id: length + - id: len_key -orig-id: len type: u4 + valid: + min: 1 - id: value type: u4 - id: key type: str - encoding: ASCII - size: length + size: len_key class: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2241 class_read seq: - - id: key_length + - id: len_key -orig-id: len type: u4 valid: min: 1 - - id: common_key_length + - id: len_common_key # can be null -orig-id: len2 type: u4 - id: value type: u4 - - id: primary_names_count + - id: num_primary_names -orig-id: perm_nprim type: u4 valid: max: 32 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: constraints_count + - id: num_constraints -orig-id: ncons type: u4 - id: key type: str - encoding: ASCII - size: key_length + size: len_key - id: common_key + -orig-id: comkey type: str - encoding: ASCII - size: common_key_length - if: common_key_length > 0 - - id: permission + size: len_common_key + if: len_common_key > 0 + - id: permissions type: permission repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements - id: constraints - -orig-id: constraints type: constraint repeat: expr - repeat-expr: constraints_count + repeat-expr: num_constraints - - id: validatetrans_count + - id: num_validatetrans -orig-id: ncons # yes, same name type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::base and _root.version >= 5)' - - id: validatetrans + if: '(_root.type_ == policy_types::kernel and _root.version >= 19) or (_root.type_ == policy_types::base and _root.version >= 5)' + - id: validate_trans -orig-id: validatetrans type: constraint repeat: expr - repeat-expr: validatetrans_count - if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::base and _root.version >= 5)' + repeat-expr: num_validatetrans + if: '(_root.type_ == policy_types::kernel and _root.version >= 19) or (_root.type_ == policy_types::base and _root.version >= 5)' - id: default_user type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 27) or (_root.type == policy_types::base and _root.version >= 15)' + if: '(_root.type_ == policy_types::kernel and _root.version >= 27) or (_root.type_ == policy_types::base and _root.version >= 15)' - id: default_role type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 27) or (_root.type == policy_types::base and _root.version >= 15)' + if: '(_root.type_ == policy_types::kernel and _root.version >= 27) or (_root.type_ == policy_types::base and _root.version >= 15)' - id: default_range type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 27) or (_root.type == policy_types::base and _root.version >= 15)' + if: '(_root.type_ == policy_types::kernel and _root.version >= 27) or (_root.type_ == policy_types::base and _root.version >= 15)' - id: default_type type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 28) or (_root.type == policy_types::base and _root.version >= 16)' + if: '(_root.type_ == policy_types::kernel and _root.version >= 28) or (_root.type_ == policy_types::base and _root.version >= 16)' constraint: # read_cons_helper seq: - id: permissions type: u4 - - id: expressions_count + - id: num_expressions -orig-id: nexpr type: u4 - - id: expression + - id: expressions type: expression repeat: expr - repeat-expr: expressions_count - if: expressions_count > 0 + repeat-expr: num_expressions expression: seq: @@ -463,7 +464,7 @@ types: if: 'type == expression_types::names' - id: type_names type: type_set - if: 'type == expression_types::names and ((_root.type == policy_types::kernel and _root.version >= 29) or (_root.type != policy_types::kernel))' + if: 'type == expression_types::names and ((_root.type_ == policy_types::kernel and _root.version >= 29) or (_root.type_ != policy_types::kernel))' mls_range: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L1850 mls_read_range_helper @@ -496,14 +497,16 @@ types: type: u4 - id: mls_range type: mls_range - if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::base and _root.version >= 5)' + if: '(_root.type_ == policy_types::kernel and _root.version >= 19) or (_root.type_ == policy_types::base and _root.version >= 5)' role: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2352 role_read seq: - - id: length + - id: len_key -orig-id: len type: u4 + valid: + min: 1 - id: value type: u4 - id: bounds @@ -511,37 +514,38 @@ types: if: '_root.boundary_feature' - id: key type: str - encoding: ascii - size: length + size: len_key - id: dominates type: extensible_bitmap - id: types_eb type: extensible_bitmap - if: _root.type == policy_types::kernel + if: _root.type_ == policy_types::kernel - id: types_ts type: type_set - if: not (_root.type == policy_types::kernel) + if: not (_root.type_ == policy_types::kernel) - id: flavor type: u4 - if: '(_root.type != policy_types::kernel and _root.version >= 13)' + if: '(_root.type_ != policy_types::kernel and _root.version >= 13)' - id: roles type: extensible_bitmap - if: '(_root.type != policy_types::kernel and _root.version >= 13)' + if: '(_root.type_ != policy_types::kernel and _root.version >= 13)' - type: + type_: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#2431 type_read seq: # 3: kern <= 23 # 4: kern >= 24 or !kern <= 7 or !kern == 9 # 5: !kern == 8 or !kern >= 10 - - id: length + - id: len_key -orig-id: len type: u4 + valid: + min: 1 - id: value type: u4 - id: primary type: u4 - if: '(_root.boundary_feature and (_root.type != policy_types::kernel and _root.version >= 10)) or not _root.boundary_feature' + if: '(_root.boundary_feature and (_root.type_ != policy_types::kernel and _root.version >= 10)) or not _root.boundary_feature' - id: properties type: u4 if: '_root.boundary_feature' @@ -550,17 +554,16 @@ types: if: '_root.boundary_feature' - id: flavor type: u4 - if: 'not _root.boundary_feature and (_root.type != policy_types::kernel)' + if: 'not _root.boundary_feature and (_root.type_ != policy_types::kernel)' - id: flags type: u4 - if: 'not _root.boundary_feature and (_root.type != policy_types::kernel and _root.version >= 8)' + if: 'not _root.boundary_feature and (_root.type_ != policy_types::kernel and _root.version >= 8)' - id: types type: extensible_bitmap - if: '_root.type != policy_types::kernel' + if: '_root.type_ != policy_types::kernel' - id: key type: str - encoding: ASCII - size: length + size: len_key type_set: seq: @@ -574,9 +577,11 @@ types: user: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3327 user_read seq: - - id: length + - id: len_key -orig-id: len type: u4 + valid: + min: 1 - id: value type: u4 - id: bounds @@ -584,26 +589,25 @@ types: if: _root.boundary_feature - id: key type: str - encoding: ASCII - size: length + size: len_key - id: roles_eb type: extensible_bitmap - if: '_root.type == policy_types::kernel' + if: '_root.type_ == policy_types::kernel' - id: roles_rs type: role_set - if: '_root.type != policy_types::kernel' + if: '_root.type_ != policy_types::kernel' - id: exp_range type: mls_range - if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::module and _root.version >= 5 and _root.version < 6) or (_root.type == policy_types::base and _root.version >= 5 and _root.version < 6)' + if: '(_root.type_ == policy_types::kernel and _root.version >= 19) or (_root.type_ == policy_types::module and _root.version >= 5 and _root.version < 6) or (_root.type_ == policy_types::base and _root.version >= 5 and _root.version < 6)' - id: exp_dftlevel type: mls_level - if: '(_root.type == policy_types::kernel and _root.version >= 19) or (_root.type == policy_types::module and _root.version >= 5 and _root.version < 6) or (_root.type == policy_types::base and _root.version >= 5 and _root.version < 6)' + if: '(_root.type_ == policy_types::kernel and _root.version >= 19) or (_root.type_ == policy_types::module and _root.version >= 5 and _root.version < 6) or (_root.type_ == policy_types::base and _root.version >= 5 and _root.version < 6)' - id: range type: mls_semantic_range - if: '(_root.type == policy_types::module or _root.type == policy_types::base) and (_root.version >= 6)' + if: '(_root.type_ == policy_types::module or _root.type_ == policy_types::base) and (_root.version >= 6)' - id: dfltlevel type: mls_semantic_range - if: '(_root.type == policy_types::module or _root.type == policy_types::base) and (_root.version >= 6)' + if: '(_root.type_ == policy_types::module or _root.type_ == policy_types::base) and (_root.version >= 6)' role_set: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L1813 role_set_read @@ -637,14 +641,14 @@ types: - id: sensitivity -orig-id: sens type: u4 - - id: count + - id: num_categories -orig-id: ncat type: u4 - - id: category + - id: categories -orig-id: cat type: semantic_category repeat: expr - repeat-expr: count + repeat-expr: num_categories semantic_category: seq: @@ -654,28 +658,29 @@ types: type: u4 bool: - doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L567 cond_read_bool + doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/cond_read_bool.c#L567 cond_read_bool seq: - id: value type: u4 - id: state type: u4 - - id: length + - id: len_key -orig-id: len type: u4 + valid: + min: 1 - id: key type: str - size: length - encoding: ascii + size: len_key - id: flags type: u4 - if: '(_root.type != policy_types::kernel and _root.version >= 14)' + if: '(_root.type_ != policy_types::kernel and _root.version >= 14)' level: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3414 sens_read seq: - - id: length + - id: len_key -orig-id: len type: u4 valid: @@ -684,15 +689,14 @@ types: type: u4 - id: key type: str - encoding: ascii - size: length + size: len_key - id: level type: mls_level cat: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3460 cat_read seq: - - id: length + - id: len_key -orig-id: len type: u4 valid: @@ -703,25 +707,24 @@ types: type: u4 - id: key type: str - encoding: ascii - size: length + size: len_key access_vector_table: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/avtab.c#L591 avtab_read seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: access_vector_old + - id: access_vectors_old type: access_vector_old repeat: expr - repeat-expr: elements_count - if: elements_count > 0 and _root.version < 20 - - id: access_vector + repeat-expr: num_elements + if: _root.version < 20 + - id: access_vectors type: access_vector repeat: expr - repeat-expr: elements_count - if: elements_count > 0 and _root.version >= 20 + repeat-expr: num_elements + if: _root.version >= 20 access_vector_old: @@ -742,7 +745,7 @@ types: - id: value -orig-id: val type: u4 - - id: data + - id: datas type: u4 repeat: expr repeat-expr: 8 @@ -776,13 +779,13 @@ types: conditional_list: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/conditional.c#L821 cond_read_list seq: - - id: length + - id: num_nodes -orig-id: len type: u4 - - id: conditional_node + - id: conditional_nodes type: conditional_node repeat: expr - repeat-expr: length + repeat-expr: num_nodes conditional_node: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/conditional.c#L747 cond_read_node @@ -790,28 +793,28 @@ types: - id: current_state -orig-id: cur_state type: u4 - - id: length + - id: num_items -orig-id: len type: u4 - - id: conditional_node_item + - id: conditional_node_items type: conditional_node_item repeat: expr - repeat-expr: length + repeat-expr: num_items - id: true_list type: cond_av_list - if: _root.type == policy_types::kernel + if: _root.type_ == policy_types::kernel - id: false_list type: cond_av_list - if: _root.type == policy_types::kernel + if: _root.type_ == policy_types::kernel - id: avtrue_list type: avrule_list - if: _root.type != policy_types::kernel + if: _root.type_ != policy_types::kernel - id: avfalse_list type: avrule_list - if: _root.type != policy_types::kernel + if: _root.type_ != policy_types::kernel - id: flags type: u4 - if: '_root.type != policy_types::kernel and _root.version >= 14' + if: '_root.type_ != policy_types::kernel and _root.version >= 14' conditional_node_item: seq: @@ -823,31 +826,30 @@ types: cond_av_list: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/conditional.c#L696 cond_read_av_list seq: - - id: length + - id: num_vectors -orig-id: len type: u4 - - id: access_vector_old + - id: access_vectors_old type: access_vector_old repeat: expr - repeat-expr: length - if: length > 0 and _root.version < 20 - - id: access_vector + repeat-expr: num_vectors + if: _root.version < 20 + - id: access_vectors type: access_vector repeat: expr - repeat-expr: length - if: length > 0 and _root.version >= 20 + repeat-expr: num_vectors + if: _root.version >= 20 avrule_list: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3716 avrule_read_list seq: - - id: length + - id: num_rules -orig-id: len type: u4 - - id: avrule + - id: avrules type: avrule repeat: expr - repeat-expr: length - if: length > 0 + repeat-expr: num_rules avrule: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3510 avrule_read @@ -860,14 +862,13 @@ types: type: type_set - id: ttypes type: type_set - - id: length + - id: num_items -orig-id: len type: u4 - - id: avrule_item + - id: avrule_items type: avrule_item repeat: expr - repeat-expr: length - if: length > 0 + repeat-expr: num_items - id: avrule_specified type: avrule_specified if: '(specified & (0x0100 | 0x0200 | 0x0400 | 0x0800)) != 0' @@ -886,24 +887,24 @@ types: type: u1 - id: xperms_driver type: u1 - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - id: perms type: u4 repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements role_trans: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3716 role_trans_read seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: role_trans_item + - id: role_trans_items type: role_trans_item repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements role_trans_item: seq: @@ -915,18 +916,18 @@ types: type: u4 - id: tclass type: u4 - if: '(_root.type == policy_types::kernel and _root.version >= 26)' + if: '(_root.type_ == policy_types::kernel and _root.version >= 26)' role_allow: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2567 role_allow_read seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: role_allow_item + - id: role_allow_items type: role_allow_item repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements role_allow_item: seq: @@ -938,30 +939,31 @@ types: filename_trans: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2845 filename_trans_read seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: item_32 + - id: items_32 type: filename_trans_item_old repeat: expr - repeat-expr: elements_count - if: '(elements_count > 0) and (_root.version < 33)' - - id: item_33 + repeat-expr: num_elements + if: '_root.version < 33' + - id: items_33 type: filename_trans_item repeat: expr - repeat-expr: elements_count - if: '(elements_count > 0) and (_root.version >= 33)' + repeat-expr: num_elements + if: '_root.version >= 33' filename_trans_item_old: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2674 filename_trans_read_one_compat seq: - - id: length + - id: len_name -orig-id: len type: u4 + valid: + min: 1 - id: name type: str - encoding: ascii - size: length + size: len_name - id: stype type: u4 - id: ttype @@ -975,26 +977,27 @@ types: filename_trans_item: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2756 filename_trans_read_one seq: - - id: length + - id: len_name -orig-id: len type: u4 + valid: + min: 1 - id: name type: str - encoding: ascii - size: length + size: len_name - id: ttype type: u4 - id: tclass type: u4 - - id: count + - id: num_items -orig-id: ndatum type: u4 valid: min: 1 - - id: item + - id: items type: filename_trans_item_item repeat: expr - repeat-expr: count + repeat-expr: num_items filename_trans_item_item: seq: @@ -1006,13 +1009,12 @@ types: avrule_block: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L4030 avrule_block_read seq: - - id: count - -orig-id: num_blocks + - id: num_blocks type: u4 - - id: avrule_block_item + - id: avrule_block_items type: avrule_block_item repeat: expr - repeat-expr: count + repeat-expr: num_blocks avrule_block_item: seq: @@ -1022,7 +1024,6 @@ types: type: avrule_decl repeat: expr repeat-expr: num_decls - if: num_decls > 0 avrule_decl: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3980 avrule_decl_read @@ -1056,13 +1057,13 @@ types: role_trans_rule: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3749 role_trans_rule_read seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: item + - id: items type: role_trans_rule_item repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements role_trans_rule_item: seq: @@ -1079,13 +1080,13 @@ types: role_allow_rule: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3801 role_allow_rule_read seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: role_allow_rule_item + - id: role_allow_rule_items type: common repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements role_allow_rule_item: seq: @@ -1097,24 +1098,23 @@ types: filename_trans_rule: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3837 filename_trans_rule_read seq: - - id: count + - id: num_items type: u4 - - id: item + - id: items type: filename_trans_rule_item repeat: expr - repeat-expr: count + repeat-expr: num_items filename_trans_rule_item: seq: - - id: length + - id: len_name -orig-id: len type: u4 valid: min: 1 - id: name type: str - encoding: ascii - size: length + size: len_name - id: stypes type: type_set - id: ttypes @@ -1131,13 +1131,13 @@ types: range_trans_rule: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3903 range_trans_rule_read seq: - - id: count + - id: num_items -orig-id: nel type: u4 - - id: item + - id: items type: range_trans_rule_item repeat: expr - repeat-expr: count + repeat-expr: num_items range_trans_rule_item: seq: @@ -1153,92 +1153,92 @@ types: scope_index: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3945 scope_index_read seq: - - id: scope + - id: scopes type: extensible_bitmap repeat: expr - repeat-expr: _root.header.symbols_count - - id: class_perms_len + repeat-expr: _root.num_symbols + - id: num_maps type: u4 valid: min: 0 - - id: class_perms_map + - id: class_perms_maps type: extensible_bitmap repeat: expr - repeat-expr: class_perms_len + repeat-expr: num_maps scope_list: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: scope + - id: scopes type: scope repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements scope: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L4108 scope_read seq: - - id: length + - id: len_key -orig-id: len type: u4 valid: min: 1 - id: key type: str - encoding: ascii - size: length + size: len_key - id: scope type: u4 - - id: decl_ids_len + - id: num_ids + -orig-id: decl_ids_len type: u4 valid: min: 1 - - id: decl_id + - id: decl_ids type: u4 repeat: expr - repeat-expr: decl_ids_len + repeat-expr: num_ids ocontext_selinux: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L2983 ocontext_read_selinux seq: - id: initial_sids type: initial_sids - if: '_root.header.object_contexts_count >= 1' + if: '_root.object_contexts_count >= 1' - id: filesystems type: filesystems - if: '_root.header.object_contexts_count >= 2' + if: '_root.object_contexts_count >= 2' - id: ports type: ports - if: '_root.header.object_contexts_count >= 3' + if: '_root.object_contexts_count >= 3' - id: network_interfaces type: filesystems # same - if: '_root.header.object_contexts_count >= 4' + if: '_root.object_contexts_count >= 4' - id: nodes type: nodes - if: '_root.header.object_contexts_count >= 5' + if: '_root.object_contexts_count >= 5' - id: fsuses type: fsuses - if: '_root.header.object_contexts_count >= 6' + if: '_root.object_contexts_count >= 6' - id: nodes6 type: nodes6 - if: '_root.header.object_contexts_count >= 7' + if: '_root.object_contexts_count >= 7' - id: ibpkeys type: ibpkeys - if: '_root.header.object_contexts_count >= 8' + if: '_root.object_contexts_count >= 8' - id: ibpendports type: ibpendports - if: '_root.header.object_contexts_count >= 9' + if: '_root.object_contexts_count >= 9' initial_sids: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: initial_sid + - id: initial_sids type: initial_sid repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements initial_sid: seq: @@ -1249,25 +1249,24 @@ types: filesystems: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: filesystem + - id: filesystems type: filesystem repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements filesystem: seq: - - id: length + - id: len_key -orig-id: len type: u4 valid: min: 1 - id: key type: str - encoding: ascii - size: length + size: len_key - id: context0 type: context - id: context1 @@ -1275,13 +1274,13 @@ types: ports: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: port + - id: ports type: port repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements port: seq: @@ -1296,13 +1295,13 @@ types: nodes: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: node + - id: nodes type: node repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements node: seq: @@ -1315,47 +1314,48 @@ types: fsuses: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: fsuse + - id: fsuses type: fsuse repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements fsuse: seq: - id: behavior type: u4 - - id: length + - id: len_name -orig-id: len type: u4 valid: min: 1 - id: name type: str - encoding: ascii - size: length + size: len_name - id: context type: context nodes6: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: node6 + - id: nodes6 type: node6 repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements node6: seq: - - id: addr + - id: addresses + -orig-id: addr type: u4 repeat: expr repeat-expr: 4 - - id: mask + - id: masks + -orig-id: mask type: u4 repeat: expr repeat-expr: 4 @@ -1364,13 +1364,13 @@ types: ibpkeys: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: ibpkey + - id: ibpkeys type: ibpkey repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements ibpkey: seq: @@ -1383,27 +1383,27 @@ types: ibpendports: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: ibpendport + - id: ibpendports type: ibpendport repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements ibpendport: seq: - - id: length + - id: len_name -orig-id: len type: u4 valid: min: 1 - id: port type: u4 - - id: dev_name + - id: name + -orig-id: dev_name type: str - encoding: ascii - size: length + size: len_name - id: context type: context @@ -1413,32 +1413,32 @@ types: seq: - id: xen_isids type: xen_isids - if: '_root.header.object_contexts_count >= 1' + if: '_root.object_contexts_count >= 1' - id: xen_pirqs type: xen_pirqs - if: '_root.header.object_contexts_count >= 2' + if: '_root.object_contexts_count >= 2' - id: xen_ioports type: xen_ioports - if: '_root.header.object_contexts_count >= 3' + if: '_root.object_contexts_count >= 3' - id: xen_iomems type: xen_iomems - if: '_root.header.object_contexts_count >= 4' + if: '_root.object_contexts_count >= 4' - id: xen_pcidevices type: xen_pcidevices - if: '_root.header.object_contexts_count >= 5' + if: '_root.object_contexts_count >= 5' - id: xen_devicetrees type: xen_devicetrees - if: '_root.header.object_contexts_count >= 6' + if: '_root.object_contexts_count >= 6' xen_isids: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: xen_isid + - id: xen_isids type: xen_isid repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements xen_isid: seq: @@ -1449,13 +1449,13 @@ types: xen_pirqs: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: xen_pirq + - id: xen_pirqs type: xen_pirq repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements xen_pirq: seq: @@ -1466,13 +1466,13 @@ types: xen_ioports: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: xen_ioport + - id: xen_ioports type: xen_ioport repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements xen_ioport: seq: @@ -1485,13 +1485,13 @@ types: xen_iomems: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: xen_iomem + - id: xen_iomems type: xen_iomem repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements xen_iomem: seq: @@ -1512,13 +1512,13 @@ types: xen_pcidevices: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: xen_pcidevice + - id: xen_pcidevices type: xen_pcidevice repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements xen_pcidevice: seq: @@ -1530,69 +1530,66 @@ types: xen_devicetrees: seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - - id: xen_devicetree + - id: xen_devicetrees type: xen_devicetree repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements xen_devicetree: seq: - - id: length + - id: len_name -orig-id: len type: u4 valid: min: 1 - id: name type: str - encoding: ascii - size: length + size: len_name - id: context0 type: context genfs: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.c#L3180 genfs_read seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - id: items type: genfs_item repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements genfs_item: seq: - - id: length + - id: len_fstype -orig-id: len type: u4 valid: min: 1 - id: fstype type: str - encoding: ascii - size: length - - id: elements_count + size: len_fstype + - id: num_elements -orig-id: nel2 type: u4 - id: items type: genfs2_item repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements genfs2_item: seq: - - id: length + - id: len_name -orig-id: len type: u4 valid: min: 1 - id: name type: str - encoding: ascii - size: length + size: len_name - id: sclass type: u4 - id: context0 @@ -1601,13 +1598,13 @@ types: range: doc-ref: https://github.com/SELinuxProject/selinux/blob/820f019e/libsepol/src/policydb.#L3620 range_read seq: - - id: elements_count + - id: num_elements -orig-id: nel type: u4 - id: items type: range_item repeat: expr - repeat-expr: elements_count + repeat-expr: num_elements range_item: seq: @@ -1617,6 +1614,6 @@ types: type: u4 - id: target_class type: u4 - if: '_root.type == policy_types::kernel and _root.version >= 21' + if: '_root.type_ == policy_types::kernel and _root.version >= 21' - id: range_tr type: mls_range diff --git a/security/selinux_policy_package.ksy b/security/selinux_policy_package.ksy index 68bf89b15..531c018b5 100644 --- a/security/selinux_policy_package.ksy +++ b/security/selinux_policy_package.ksy @@ -14,24 +14,24 @@ seq: contents: [0x8f, 0xff, 0x7c, 0xf9] - id: version # module_package_read_offsets type: u4 - - id: sections_count + - id: num_sections -orig-id: nsec type: u4 - - id: section + - id: sections type: section repeat: expr - repeat-expr: sections_count + repeat-expr: num_sections types: section: seq: - - id: offset + - id: ofs_section -orig-id: off type: u4 instances: section_magic: io: _root._io - pos: offset + pos: ofs_section type: u4 enum: section_magics