From: "Christian Göttsche" <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [PATCH] sepolgen: adjust parse for refpolicy
Date: Thu, 22 Feb 2024 20:31:12 +0100 [thread overview]
Message-ID: <20240222193117.17539-1-cgzones@googlemail.com> (raw)
Currently sepolgen fails to parse the reference policy:
Parsing interface files:
%--10---20---30---40---50---60---70---80---90--100
#############/tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if: Syntax error on line 1737 - [type=MINUS]
/tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if: Syntax error on line 1755 - [type=MINUS]
error parsing file /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if: could not parse text: "/tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if: Syntax error on line 1755 - [type=MINUS]"
/tmp/destdir/usr/share/selinux/refpolicy/include/kernel/selinux.if: Syntax error on line 43 - [type=MINUS]
error parsing file /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/selinux.if: could not parse text: "/tmp/destdir/usr/share/selinux/refpolicy/include/kernel/selinux.if: Syntax error on line 43 - [type=MINUS]"
############################/tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if: Syntax error on line 183 $1_port_forwarding [type=IDENTIFIER]
/tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if: Syntax error on line 293 ' [type=SQUOTE]
error parsing file /tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if: could not parse text: "/tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if: Syntax error on line 293 ' [type=SQUOTE]"
######/tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2137 true [type=TRUE]
/tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2148 ' [type=SQUOTE]
/tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2152 ' [type=SQUOTE]
/tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2163 ' [type=SQUOTE]
/tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2167 ' [type=SQUOTE]
error parsing file /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: could not parse text: "/tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2167 ' [type=SQUOTE]"
##failed to parse some headers: /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if, /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/selinux.if, /tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if, /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if
Missing interface definition for init_startstop_service
Missing interface definition for init_startstop_service
...
Accept chained ifelse blocks, genfscon statements with file specifiers,
and booleans with unquoted identifiers.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
python/sepolgen/src/sepolgen/refparser.py | 74 +++++++++++++++++------
python/sepolgen/src/sepolgen/refpolicy.py | 8 +++
2 files changed, 65 insertions(+), 17 deletions(-)
diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
index 1bb90564..e261d3f7 100644
--- a/python/sepolgen/src/sepolgen/refparser.py
+++ b/python/sepolgen/src/sepolgen/refparser.py
@@ -418,19 +418,41 @@ def p_tunable_policy(p):
collect(p[12], x, val=False)
p[0] = [x]
-def p_ifelse(p):
- '''ifelse : IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
- | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
- | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+def p_ifelse_compare_value(p):
+ '''ifelse_compare_value : TICK IDENTIFIER SQUOTE
+ | TICK TRUE SQUOTE
+ | TICK FALSE SQUOTE
+ | TICK SQUOTE
+ | empty
'''
-# x = refpolicy.IfDef(p[4])
-# v = True
-# collect(p[8], x, val=v)
-# if len(p) > 12:
-# collect(p[12], x, val=False)
-# p[0] = [x]
- pass
+ if len(p) == 4:
+ p[0] = p[2]
+ else:
+ p[0] = None
+
+def p_ifelse_section(p):
+ '''ifelse_section : TICK IDENTIFIER SQUOTE COMMA ifelse_compare_value COMMA TICK interface_stmts SQUOTE
+ '''
+ x = refpolicy.IfElse(p[2])
+ collect(p[8], x, val=True)
+ p[0] = [x]
+
+def p_ifelse_sections(p):
+ '''ifelse_sections : ifelse_sections COMMA ifelse_section
+ | ifelse_section
+ '''
+ if len(p) == 4:
+ p[0] = p[1] + p[3]
+ else:
+ p[0] = p[1]
+def p_ifelse(p):
+ '''ifelse : IFELSE OPAREN ifelse_sections COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+ '''
+ x = refpolicy.IfElse(p[3])
+ collect(p[3], x, val=True)
+ collect(p[6], x, val=False)
+ p[0] = [x]
def p_ifdef(p):
'''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
@@ -460,6 +482,7 @@ def p_interface_call(p):
def p_interface_call_param(p):
'''interface_call_param : IDENTIFIER
| IDENTIFIER MINUS IDENTIFIER
+ | MINUS IDENTIFIER
| nested_id_set
| TRUE
| FALSE
@@ -469,6 +492,8 @@ def p_interface_call_param(p):
# List means set, non-list identifier
if len(p) == 2:
p[0] = p[1]
+ elif len(p) == 3:
+ p[0] = "-" + p[2]
else:
p[0] = [p[1], "-" + p[3]]
@@ -558,6 +583,8 @@ def p_requires(p):
| requires require
| ifdef
| requires ifdef
+ | ifelse
+ | requires ifelse
'''
pass
@@ -609,12 +636,17 @@ def p_initial_sid(p):
p[0] = s
def p_genfscon(p):
- '''genfscon : GENFSCON IDENTIFIER PATH context'''
-
+ '''genfscon : GENFSCON IDENTIFIER PATH context
+ | GENFSCON IDENTIFIER PATH MINUS IDENTIFIER context
+ | GENFSCON IDENTIFIER PATH MINUS MINUS context
+ '''
g = refpolicy.GenfsCon()
g.filesystem = p[2]
g.path = p[3]
- g.context = p[4]
+ if len(p) == 5:
+ g.context = p[4]
+ else:
+ g.context = p[6]
p[0] = g
@@ -848,11 +880,19 @@ def p_bool(p):
p[0] = b
def p_gen_tunable(p):
- '''gen_tunable : GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA TRUE CPAREN
+ '''gen_tunable : GEN_TUNABLE OPAREN IDENTIFIER COMMA TRUE CPAREN
+ | GEN_TUNABLE OPAREN IDENTIFIER COMMA FALSE CPAREN
+ | GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA TRUE CPAREN
| GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA FALSE CPAREN'''
b = refpolicy.Bool()
- b.name = p[4]
- if p[7] == "true":
+ if len(p) == 7:
+ id_pos = 3
+ state_pos = 5
+ else:
+ id_pos = 4
+ state_pos = 7
+ b.name = p[id_pos]
+ if p[state_pos] == "true":
b.state = True
else:
b.state = False
diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py
index 9cac1b95..f139dde4 100644
--- a/python/sepolgen/src/sepolgen/refpolicy.py
+++ b/python/sepolgen/src/sepolgen/refpolicy.py
@@ -899,6 +899,14 @@ class IfDef(Node):
def to_string(self):
return "[Ifdef name: %s]" % self.name
+class IfElse(Node):
+ def __init__(self, name="", parent=None):
+ Node.__init__(self, parent)
+ self.name = name
+
+ def to_string(self):
+ return "[Ifelse name: %s]" % self.name
+
class InterfaceCall(Leaf):
def __init__(self, ifname="", parent=None):
Leaf.__init__(self, parent)
--
2.43.0
next reply other threads:[~2024-02-22 19:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-22 19:31 Christian Göttsche [this message]
2024-03-20 18:01 ` [PATCH] sepolgen: adjust parse for refpolicy James Carter
2024-03-20 20:04 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240222193117.17539-1-cgzones@googlemail.com \
--to=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).