[v2,1/3] sepolgen: parse gen_tunable as bool

Message ID	20200528125128.26915-1-cgzones@googlemail.com (mailing list archive)
State	Superseded
Headers	show Return-Path: <SRS0=TvmB=7K=vger.kernel.org=selinux-owner@kernel.org> From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com> To: selinux@vger.kernel.org Subject: [PATCH v2 1/3] sepolgen: parse gen_tunable as bool Date: Thu, 28 May 2020 14:51:26 +0200 Message-Id: <20200528125128.26915-1-cgzones@googlemail.com> In-Reply-To: <CAEjxPJ4qJj4-of0F=TKZ1wb-s82_wbMCYLbFPuxJ57dqbNRjeQ@mail.gmail.com> References: <CAEjxPJ4qJj4-of0F=TKZ1wb-s82_wbMCYLbFPuxJ57dqbNRjeQ@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: selinux-owner@vger.kernel.org Precedence: bulk
Series	[v2,1/3] sepolgen: parse gen_tunable as bool \| expand [v2,1/3] sepolgen: parse gen_tunable as bool [v2,2/3] refparser: add missing newline after error message [v2,3/3] sepolgen-ifgen: refactor default policy path retrieval

Message ID

20200528125128.26915-1-cgzones@googlemail.com (mailing list archive)

State

Superseded

Headers

From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [PATCH v2 1/3] sepolgen: parse gen_tunable as bool
Date: Thu, 28 May 2020 14:51:26 +0200
Message-Id: <20200528125128.26915-1-cgzones@googlemail.com>
In-Reply-To: 
 <CAEjxPJ4qJj4-of0F=TKZ1wb-s82_wbMCYLbFPuxJ57dqbNRjeQ@mail.gmail.com>
References: 
 <CAEjxPJ4qJj4-of0F=TKZ1wb-s82_wbMCYLbFPuxJ57dqbNRjeQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: selinux-owner@vger.kernel.org
Precedence: bulk

Series

[v2,1/3] sepolgen: parse gen_tunable as bool | expand

Commit Message

Christian Göttsche May 28, 2020, 12:51 p.m. UTC

Currently sepolgen-ifgen parses a gen_tunable statement as interface
and reports in verbose mode:

    Missing interface definition for gen_tunable

Add grammar for gen_tunable statements in the refparser

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 python/sepolgen/src/sepolgen/refparser.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

Comments

Stephen Smalley May 28, 2020, 2:23 p.m. UTC | #1

On Thu, May 28, 2020 at 8:52 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Currently sepolgen-ifgen parses a gen_tunable statement as interface
> and reports in verbose mode:
>
>     Missing interface definition for gen_tunable
>
> Add grammar for gen_tunable statements in the refparser
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
>  python/sepolgen/src/sepolgen/refparser.py | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
>
> diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
> index 2e521a0f..f3e0ae87 100644
> --- a/python/sepolgen/src/sepolgen/refparser.py
> +++ b/python/sepolgen/src/sepolgen/refparser.py
> @@ -126,6 +126,7 @@ tokens = (
>      'GEN_REQ',
>      'TEMPLATE',
>      'GEN_CONTEXT',
> +    'GEN_TUNABLE',
>      #   m4
>      'IFELSE',
>      'IFDEF',
> @@ -192,6 +193,7 @@ reserved = {
>      'gen_require' : 'GEN_REQ',
>      'template' : 'TEMPLATE',
>      'gen_context' : 'GEN_CONTEXT',
> +    'gen_tunable' : 'GEN_TUNABLE',
>      # M4
>      'ifelse' : 'IFELSE',
>      'ifndef' : 'IFNDEF',
> @@ -518,6 +520,7 @@ def p_policy_stmt(p):
>                     | range_transition_def
>                     | role_transition_def
>                     | bool
> +                   | gen_tunable
>                     | define
>                     | initial_sid
>                     | genfscon
> @@ -844,6 +847,17 @@ def p_bool(p):
>          b.state = False
>      p[0] = b
>
> +def p_gen_tunable(p):
> +    '''gen_tunable : GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA TRUE CPAREN
> +                   | GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA FALSE CPAREN'''

Looks like you need to also support the case where no quoting is
performed.  Otherwise, I still see syntax errors, e.g.
/usr/share/selinux/refpolicy/include/services/apache.if: Syntax error
on line 35 allow_httpd_$1_script_anon_write [type=IDENTIFIER]

35: gen_tunable(allow_httpd_$1_script_anon_write, false)

Christian Göttsche May 28, 2020, 2:51 p.m. UTC | #2

Am Do., 28. Mai 2020 um 16:23 Uhr schrieb Stephen Smalley
<stephen.smalley.work@gmail.com>:
>
> On Thu, May 28, 2020 at 8:52 AM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > Currently sepolgen-ifgen parses a gen_tunable statement as interface
> > and reports in verbose mode:
> >
> >     Missing interface definition for gen_tunable
> >
> > Add grammar for gen_tunable statements in the refparser
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> > ---
> >  python/sepolgen/src/sepolgen/refparser.py | 14 ++++++++++++++
> >  1 file changed, 14 insertions(+)
> >
> > diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
> > index 2e521a0f..f3e0ae87 100644
> > --- a/python/sepolgen/src/sepolgen/refparser.py
> > +++ b/python/sepolgen/src/sepolgen/refparser.py
> > @@ -126,6 +126,7 @@ tokens = (
> >      'GEN_REQ',
> >      'TEMPLATE',
> >      'GEN_CONTEXT',
> > +    'GEN_TUNABLE',
> >      #   m4
> >      'IFELSE',
> >      'IFDEF',
> > @@ -192,6 +193,7 @@ reserved = {
> >      'gen_require' : 'GEN_REQ',
> >      'template' : 'TEMPLATE',
> >      'gen_context' : 'GEN_CONTEXT',
> > +    'gen_tunable' : 'GEN_TUNABLE',
> >      # M4
> >      'ifelse' : 'IFELSE',
> >      'ifndef' : 'IFNDEF',
> > @@ -518,6 +520,7 @@ def p_policy_stmt(p):
> >                     | range_transition_def
> >                     | role_transition_def
> >                     | bool
> > +                   | gen_tunable
> >                     | define
> >                     | initial_sid
> >                     | genfscon
> > @@ -844,6 +847,17 @@ def p_bool(p):
> >          b.state = False
> >      p[0] = b
> >
> > +def p_gen_tunable(p):
> > +    '''gen_tunable : GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA TRUE CPAREN
> > +                   | GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA FALSE CPAREN'''
>
> Looks like you need to also support the case where no quoting is
> performed.  Otherwise, I still see syntax errors, e.g.
> /usr/share/selinux/refpolicy/include/services/apache.if: Syntax error
> on line 35 allow_httpd_$1_script_anon_write [type=IDENTIFIER]
>
> 35: gen_tunable(allow_httpd_$1_script_anon_write, false)

I tried to avoid that by modifying Refpolicy[1], but I can include the
additional grammar.


[1]: https://github.com/SELinuxProject/refpolicy/pull/201

Stephen Smalley June 4, 2020, 8:26 p.m. UTC | #3

On Thu, May 28, 2020 at 10:52 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Am Do., 28. Mai 2020 um 16:23 Uhr schrieb Stephen Smalley
> <stephen.smalley.work@gmail.com>:
> > Looks like you need to also support the case where no quoting is
> > performed.  Otherwise, I still see syntax errors, e.g.
> > /usr/share/selinux/refpolicy/include/services/apache.if: Syntax error
> > on line 35 allow_httpd_$1_script_anon_write [type=IDENTIFIER]
> >
> > 35: gen_tunable(allow_httpd_$1_script_anon_write, false)
>
> I tried to avoid that by modifying Refpolicy[1], but I can include the
> additional grammar.
>
>
> [1]: https://github.com/SELinuxProject/refpolicy/pull/201

Looks like your refpolicy pull request was merged so I guess we can
take this one as is if we don't care about fixing it for older
refpolicy versions.  The third patch in the series still needs to be
reworked or dropped I think as per my comments there.

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
index 2e521a0f..f3e0ae87 100644
--- a/python/sepolgen/src/sepolgen/refparser.py
+++ b/python/sepolgen/src/sepolgen/refparser.py
@@ -126,6 +126,7 @@  tokens = (
     'GEN_REQ',
     'TEMPLATE',
     'GEN_CONTEXT',
+    'GEN_TUNABLE',
     #   m4
     'IFELSE',
     'IFDEF',
@@ -192,6 +193,7 @@  reserved = {
     'gen_require' : 'GEN_REQ',
     'template' : 'TEMPLATE',
     'gen_context' : 'GEN_CONTEXT',
+    'gen_tunable' : 'GEN_TUNABLE',
     # M4
     'ifelse' : 'IFELSE',
     'ifndef' : 'IFNDEF',
@@ -518,6 +520,7 @@  def p_policy_stmt(p):
                    | range_transition_def
                    | role_transition_def
                    | bool
+                   | gen_tunable
                    | define
                    | initial_sid
                    | genfscon
@@ -844,6 +847,17 @@  def p_bool(p):
         b.state = False
     p[0] = b
 
+def p_gen_tunable(p):
+    '''gen_tunable : GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA TRUE CPAREN
+                   | GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA FALSE CPAREN'''
+    b = refpolicy.Bool()
+    b.name = p[4]
+    if p[7] == "true":
+        b.state = True
+    else:
+        b.state = False
+    p[0] = b
+
 def p_conditional(p):
     ''' conditional : IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE
                     | IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE ELSE OBRACE interface_stmts CBRACE

[v2,1/3] sepolgen: parse gen_tunable as bool

Commit Message

Comments

Patch