| Message ID | 20200412081001.23246-1-nicolas.iooss@m4x.org (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/3] libselinux: add missing glue code to grab errno in Python bindings | expand |
On Sun, Apr 12, 2020 at 3:12 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote: > > The Python bindings for libselinux expose functions such as > avc_has_perm(), get_ordered_context_list(), etc. When these functions > encounter an error, they set errno accordingly and return a negative > value. In order to get the value of errno from Python code, it needs to > be "forwarded" in a way. This is achieved by glue code in > selinuxswig_python_exception.i, which implement raising an OSError > exception from the value of errno. > > selinuxswig_python_exception.i was only generating glue code from > functions declared in selinux.h and not in other headers. Add other > headers. > > selinuxswig_python_exception.i is generated by "bash exception.sh". Mark > the fact that exception.sh is a Bash script by adding a shebang. This > makes "shellcheck" not warn about the Bash array which is used to list > header files. > > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> > --- > libselinux/src/exception.sh | 18 +- > libselinux/src/selinuxswig_python_exception.i | 396 ++++++++++++++++++ > 2 files changed, 412 insertions(+), 2 deletions(-) > > diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh > index 33ceef804af5..644c7a05ec54 100755 > --- a/libselinux/src/exception.sh > +++ b/libselinux/src/exception.sh > @@ -1,3 +1,5 @@ > +#!/bin/bash > + > function except() { > case $1 in > selinux_file_context_cmp) # ignore > @@ -15,10 +17,22 @@ echo " > ;; > esac > } > -if ! ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h > + > +# Make sure that selinux.h is included first in order not to depend on the order > +# in which "#include <selinux/selinux.h>" appears in other files. > +FILE_LIST=( > + ../include/selinux/selinux.h > + ../include/selinux/avc.h > + ../include/selinux/context.h > + ../include/selinux/get_context_list.h > + ../include/selinux/get_default_type.h > + ../include/selinux/label.h > + ../include/selinux/restorecon.h > +) > +if ! cat "${FILE_LIST[@]}" | ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux > then > # clang does not support -aux-info so fall back to gcc > - gcc -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h > + cat "${FILE_LIST[@]}" | gcc -x c -c -I../include -o temp.o - -aux-info temp.aux > fi > for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done > rm -f -- temp.aux temp.o > diff --git a/libselinux/src/selinuxswig_python_exception.i b/libselinux/src/selinuxswig_python_exception.i > index cf6582595ee7..9f1f86a5564d 100644 > --- a/libselinux/src/selinuxswig_python_exception.i > +++ b/libselinux/src/selinuxswig_python_exception.i > @@ -952,3 +952,399 @@ > } > } > > + > +%exception avc_sid_to_context { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception avc_sid_to_context_raw { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception avc_context_to_sid { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception avc_context_to_sid_raw { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception sidget { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception sidput { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception avc_get_initial_sid { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception avc_init { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception avc_open { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception avc_reset { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception avc_has_perm_noaudit { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception avc_has_perm { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception avc_compute_create { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception avc_compute_member { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception avc_add_callback { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception avc_netlink_open { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception avc_netlink_acquire_fd { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception avc_netlink_check_nb { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception selinux_status_open { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception selinux_status_updated { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception selinux_status_getenforce { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception selinux_status_policyload { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception selinux_status_deny_unknown { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception context_type_set { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception context_range_set { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception context_role_set { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception context_user_set { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception get_ordered_context_list { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception get_ordered_context_list_with_level { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception get_default_context { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception get_default_context_with_level { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception get_default_context_with_role { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception get_default_context_with_rolelevel { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception query_user_context { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception manual_user_enter_context { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception get_default_type { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception selabel_lookup { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception selabel_lookup_raw { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception selabel_lookup_best_match { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception selabel_lookup_best_match_raw { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception selabel_digest { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception selinux_restorecon { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception selinux_restorecon_set_alt_rootpath { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > + > +%exception selinux_restorecon_xattr { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + SWIG_fail; > + } > +} > + > -- > 2.26.0 > A few comments: - overall looks fine, builds and works as expected. - Why the double newline space on the exception swig file? The other .i files seem to do a single newline? is their something I am missing with syntax? - I have the following whitespace warning: Applying: libselinux: add missing glue code to grab errno in Python bindings .git/rebase-apply/patch:444: new blank line at EOF. + warning: 1 line adds whitespace errors.
On Mon, Apr 13, 2020 at 4:18 PM William Roberts <bill.c.roberts@gmail.com> wrote: > > On Sun, Apr 12, 2020 at 3:12 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote: > > > > The Python bindings for libselinux expose functions such as > > avc_has_perm(), get_ordered_context_list(), etc. When these functions > > encounter an error, they set errno accordingly and return a negative > > value. In order to get the value of errno from Python code, it needs to > > be "forwarded" in a way. This is achieved by glue code in > > selinuxswig_python_exception.i, which implement raising an OSError > > exception from the value of errno. > > > > selinuxswig_python_exception.i was only generating glue code from > > functions declared in selinux.h and not in other headers. Add other > > headers. > > > > selinuxswig_python_exception.i is generated by "bash exception.sh". Mark > > the fact that exception.sh is a Bash script by adding a shebang. This > > makes "shellcheck" not warn about the Bash array which is used to list > > header files. > > > > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> > > --- > > libselinux/src/exception.sh | 18 +- > > libselinux/src/selinuxswig_python_exception.i | 396 ++++++++++++++++++ > > 2 files changed, 412 insertions(+), 2 deletions(-) > > > > diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh > > index 33ceef804af5..644c7a05ec54 100755 > > --- a/libselinux/src/exception.sh > > +++ b/libselinux/src/exception.sh > > @@ -1,3 +1,5 @@ > > +#!/bin/bash > > + > > function except() { > > case $1 in > > selinux_file_context_cmp) # ignore > > @@ -15,10 +17,22 @@ echo " > > ;; > > esac > > } > > -if ! ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h > > + > > +# Make sure that selinux.h is included first in order not to depend on the order > > +# in which "#include <selinux/selinux.h>" appears in other files. > > +FILE_LIST=( > > + ../include/selinux/selinux.h > > + ../include/selinux/avc.h > > + ../include/selinux/context.h > > + ../include/selinux/get_context_list.h > > + ../include/selinux/get_default_type.h > > + ../include/selinux/label.h > > + ../include/selinux/restorecon.h > > +) > > +if ! cat "${FILE_LIST[@]}" | ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux > > then > > # clang does not support -aux-info so fall back to gcc > > - gcc -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h > > + cat "${FILE_LIST[@]}" | gcc -x c -c -I../include -o temp.o - -aux-info temp.aux > > fi > > for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done > > rm -f -- temp.aux temp.o > > diff --git a/libselinux/src/selinuxswig_python_exception.i b/libselinux/src/selinuxswig_python_exception.i > > index cf6582595ee7..9f1f86a5564d 100644 > > --- a/libselinux/src/selinuxswig_python_exception.i > > +++ b/libselinux/src/selinuxswig_python_exception.i > > @@ -952,3 +952,399 @@ > > } > > } > > > > + > > +%exception avc_sid_to_context { > > + $action > > + if (result < 0) { > > + PyErr_SetFromErrno(PyExc_OSError); > > + SWIG_fail; > > + } > > +} > > + > > + > > +%exception avc_sid_to_context_raw { > > + $action > > + if (result < 0) { > > + PyErr_SetFromErrno(PyExc_OSError); > > + SWIG_fail; > > + } > > +} [...] > > A few comments: > - overall looks fine, builds and works as expected. > - Why the double newline space on the exception swig file? The other > .i files seem to do a single newline? > is their something I am missing with syntax? > - I have the following whitespace warning: > Applying: libselinux: add missing glue code to grab errno in Python bindings > .git/rebase-apply/patch:444: new blank line at EOF. > + > warning: 1 line adds whitespace errors. The last two points are due to the way the file is generated, by exception.sh: echo " %exception $1 { \$action if (result < 0) { PyErr_SetFromErrno(PyExc_OSError); SWIG_fail; } } " ... this introduces blank lines both before and after each exception blocks. We could remove the one after the block by using }" in the shell script. I will submit a patch that does this once this patch is merged, as this makes the file cleaner. Thanks, Nicolas
> -----Original Message----- > From: selinux-owner@vger.kernel.org [mailto:selinux-owner@vger.kernel.org] > On Behalf Of Nicolas Iooss > Sent: Monday, April 13, 2020 11:15 AM > To: William Roberts <bill.c.roberts@gmail.com> > Cc: SElinux list <selinux@vger.kernel.org> > Subject: Re: [PATCH 1/3] libselinux: add missing glue code to grab errno in Python > bindings > > On Mon, Apr 13, 2020 at 4:18 PM William Roberts <bill.c.roberts@gmail.com> > wrote: > > > > On Sun, Apr 12, 2020 at 3:12 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote: > > > > > > The Python bindings for libselinux expose functions such as > > > avc_has_perm(), get_ordered_context_list(), etc. When these > > > functions encounter an error, they set errno accordingly and return > > > a negative value. In order to get the value of errno from Python > > > code, it needs to be "forwarded" in a way. This is achieved by glue > > > code in selinuxswig_python_exception.i, which implement raising an > > > OSError exception from the value of errno. > > > > > > selinuxswig_python_exception.i was only generating glue code from > > > functions declared in selinux.h and not in other headers. Add other > > > headers. > > > > > > selinuxswig_python_exception.i is generated by "bash exception.sh". > > > Mark the fact that exception.sh is a Bash script by adding a > > > shebang. This makes "shellcheck" not warn about the Bash array which > > > is used to list header files. > > > > > > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> > > > --- > > > libselinux/src/exception.sh | 18 +- > > > libselinux/src/selinuxswig_python_exception.i | 396 > > > ++++++++++++++++++ > > > 2 files changed, 412 insertions(+), 2 deletions(-) > > > > > > diff --git a/libselinux/src/exception.sh > > > b/libselinux/src/exception.sh index 33ceef804af5..644c7a05ec54 > > > 100755 > > > --- a/libselinux/src/exception.sh > > > +++ b/libselinux/src/exception.sh > > > @@ -1,3 +1,5 @@ > > > +#!/bin/bash > > > + > > > function except() { > > > case $1 in > > > selinux_file_context_cmp) # ignore @@ -15,10 +17,22 @@ echo " > > > ;; > > > esac > > > } > > > -if ! ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux > > > < ../include/selinux/selinux.h > > > + > > > +# Make sure that selinux.h is included first in order not to depend > > > +on the order # in which "#include <selinux/selinux.h>" appears in other files. > > > +FILE_LIST=( > > > + ../include/selinux/selinux.h > > > + ../include/selinux/avc.h > > > + ../include/selinux/context.h > > > + ../include/selinux/get_context_list.h > > > + ../include/selinux/get_default_type.h > > > + ../include/selinux/label.h > > > + ../include/selinux/restorecon.h > > > +) > > > +if ! cat "${FILE_LIST[@]}" | ${CC:-gcc} -x c -c -I../include -o > > > +temp.o - -aux-info temp.aux > > > then > > > # clang does not support -aux-info so fall back to gcc > > > - gcc -x c -c -I../include -o temp.o - -aux-info temp.aux < > ../include/selinux/selinux.h > > > + cat "${FILE_LIST[@]}" | gcc -x c -c -I../include -o temp.o - > > > + -aux-info temp.aux > > > fi > > > for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do > > > except $i ; done rm -f -- temp.aux temp.o diff --git > > > a/libselinux/src/selinuxswig_python_exception.i > > > b/libselinux/src/selinuxswig_python_exception.i > > > index cf6582595ee7..9f1f86a5564d 100644 > > > --- a/libselinux/src/selinuxswig_python_exception.i > > > +++ b/libselinux/src/selinuxswig_python_exception.i > > > @@ -952,3 +952,399 @@ > > > } > > > } > > > > > > + > > > +%exception avc_sid_to_context { > > > + $action > > > + if (result < 0) { > > > + PyErr_SetFromErrno(PyExc_OSError); > > > + SWIG_fail; > > > + } > > > +} > > > + > > > + > > > +%exception avc_sid_to_context_raw { > > > + $action > > > + if (result < 0) { > > > + PyErr_SetFromErrno(PyExc_OSError); > > > + SWIG_fail; > > > + } > > > +} > [...] > > > > A few comments: > > - overall looks fine, builds and works as expected. > > - Why the double newline space on the exception swig file? The other > > .i files seem to do a single newline? > > is their something I am missing with syntax? > > - I have the following whitespace warning: > > Applying: libselinux: add missing glue code to grab errno in Python > > bindings > > .git/rebase-apply/patch:444: new blank line at EOF. > > + > > warning: 1 line adds whitespace errors. > > The last two points are due to the way the file is generated, by exception.sh: > > echo " > %exception $1 { > \$action > if (result < 0) { > PyErr_SetFromErrno(PyExc_OSError); > SWIG_fail; > } > } > " > ... this introduces blank lines both before and after each exception blocks. We > could remove the one after the block by using }" in the shell script. I will submit a > patch that does this once this patch is merged, as this makes the file cleaner. WFM. Thanks for fixing this, I used the python bindings eons ago and remember being frustrated I didn't get really good errors. Acked-by: William Roberts <william.c.roberts@intel.com>
> > > -----Original Message----- > > From: selinux-owner@vger.kernel.org [mailto:selinux-owner@vger.kernel.org] > > On Behalf Of Nicolas Iooss > > Sent: Monday, April 13, 2020 11:15 AM > > To: William Roberts <bill.c.roberts@gmail.com> > > Cc: SElinux list <selinux@vger.kernel.org> > > Subject: Re: [PATCH 1/3] libselinux: add missing glue code to grab errno in Python > > bindings > > > > On Mon, Apr 13, 2020 at 4:18 PM William Roberts <bill.c.roberts@gmail.com> > > wrote: > > > > > > On Sun, Apr 12, 2020 at 3:12 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote: > > > > > > > > The Python bindings for libselinux expose functions such as > > > > avc_has_perm(), get_ordered_context_list(), etc. When these > > > > functions encounter an error, they set errno accordingly and return > > > > a negative value. In order to get the value of errno from Python > > > > code, it needs to be "forwarded" in a way. This is achieved by glue > > > > code in selinuxswig_python_exception.i, which implement raising an > > > > OSError exception from the value of errno. > > > > > > > > selinuxswig_python_exception.i was only generating glue code from > > > > functions declared in selinux.h and not in other headers. Add other > > > > headers. > > > > > > > > selinuxswig_python_exception.i is generated by "bash exception.sh". > > > > Mark the fact that exception.sh is a Bash script by adding a > > > > shebang. This makes "shellcheck" not warn about the Bash array which > > > > is used to list header files. > > > > > > > > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> > > > > --- > > > > libselinux/src/exception.sh | 18 +- > > > > libselinux/src/selinuxswig_python_exception.i | 396 > > > > ++++++++++++++++++ > > > > 2 files changed, 412 insertions(+), 2 deletions(-) > > > > > > > > diff --git a/libselinux/src/exception.sh > > > > b/libselinux/src/exception.sh index 33ceef804af5..644c7a05ec54 > > > > 100755 > > > > --- a/libselinux/src/exception.sh > > > > +++ b/libselinux/src/exception.sh > > > > @@ -1,3 +1,5 @@ > > > > +#!/bin/bash > > > > + > > > > function except() { > > > > case $1 in > > > > selinux_file_context_cmp) # ignore @@ -15,10 +17,22 @@ echo " > > > > ;; > > > > esac > > > > } > > > > -if ! ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux > > > > < ../include/selinux/selinux.h > > > > + > > > > +# Make sure that selinux.h is included first in order not to depend > > > > +on the order # in which "#include <selinux/selinux.h>" appears in other files. > > > > +FILE_LIST=( > > > > + ../include/selinux/selinux.h > > > > + ../include/selinux/avc.h > > > > + ../include/selinux/context.h > > > > + ../include/selinux/get_context_list.h > > > > + ../include/selinux/get_default_type.h > > > > + ../include/selinux/label.h > > > > + ../include/selinux/restorecon.h > > > > +) > > > > +if ! cat "${FILE_LIST[@]}" | ${CC:-gcc} -x c -c -I../include -o > > > > +temp.o - -aux-info temp.aux > > > > then > > > > # clang does not support -aux-info so fall back to gcc > > > > - gcc -x c -c -I../include -o temp.o - -aux-info temp.aux < > > ../include/selinux/selinux.h > > > > + cat "${FILE_LIST[@]}" | gcc -x c -c -I../include -o temp.o - > > > > + -aux-info temp.aux > > > > fi > > > > for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do > > > > except $i ; done rm -f -- temp.aux temp.o diff --git > > > > a/libselinux/src/selinuxswig_python_exception.i > > > > b/libselinux/src/selinuxswig_python_exception.i > > > > index cf6582595ee7..9f1f86a5564d 100644 > > > > --- a/libselinux/src/selinuxswig_python_exception.i > > > > +++ b/libselinux/src/selinuxswig_python_exception.i > > > > @@ -952,3 +952,399 @@ > > > > } > > > > } > > > > > > > > + > > > > +%exception avc_sid_to_context { > > > > + $action > > > > + if (result < 0) { > > > > + PyErr_SetFromErrno(PyExc_OSError); > > > > + SWIG_fail; > > > > + } > > > > +} > > > > + > > > > + > > > > +%exception avc_sid_to_context_raw { > > > > + $action > > > > + if (result < 0) { > > > > + PyErr_SetFromErrno(PyExc_OSError); > > > > + SWIG_fail; > > > > + } > > > > +} > > [...] > > > > > > A few comments: > > > - overall looks fine, builds and works as expected. > > > - Why the double newline space on the exception swig file? The other > > > .i files seem to do a single newline? > > > is their something I am missing with syntax? > > > - I have the following whitespace warning: > > > Applying: libselinux: add missing glue code to grab errno in Python > > > bindings > > > .git/rebase-apply/patch:444: new blank line at EOF. > > > + > > > warning: 1 line adds whitespace errors. > > > > The last two points are due to the way the file is generated, by exception.sh: > > > > echo " > > %exception $1 { > > \$action > > if (result < 0) { > > PyErr_SetFromErrno(PyExc_OSError); > > SWIG_fail; > > } > > } > > " > > ... this introduces blank lines both before and after each exception blocks. We > > could remove the one after the block by using }" in the shell script. I will submit a > > patch that does this once this patch is merged, as this makes the file cleaner. > > WFM. Thanks for fixing this, I used the python bindings eons ago and remember > being frustrated I didn't get really good errors. > > Acked-by: William Roberts <william.c.roberts@intel.com> Merged: https://github.com/SELinuxProject/selinux/pull/221
diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh index 33ceef804af5..644c7a05ec54 100755 --- a/libselinux/src/exception.sh +++ b/libselinux/src/exception.sh @@ -1,3 +1,5 @@ +#!/bin/bash + function except() { case $1 in selinux_file_context_cmp) # ignore @@ -15,10 +17,22 @@ echo " ;; esac } -if ! ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h + +# Make sure that selinux.h is included first in order not to depend on the order +# in which "#include <selinux/selinux.h>" appears in other files. +FILE_LIST=( + ../include/selinux/selinux.h + ../include/selinux/avc.h + ../include/selinux/context.h + ../include/selinux/get_context_list.h + ../include/selinux/get_default_type.h + ../include/selinux/label.h + ../include/selinux/restorecon.h +) +if ! cat "${FILE_LIST[@]}" | ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux then # clang does not support -aux-info so fall back to gcc - gcc -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h + cat "${FILE_LIST[@]}" | gcc -x c -c -I../include -o temp.o - -aux-info temp.aux fi for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done rm -f -- temp.aux temp.o diff --git a/libselinux/src/selinuxswig_python_exception.i b/libselinux/src/selinuxswig_python_exception.i index cf6582595ee7..9f1f86a5564d 100644 --- a/libselinux/src/selinuxswig_python_exception.i +++ b/libselinux/src/selinuxswig_python_exception.i @@ -952,3 +952,399 @@ } } + +%exception avc_sid_to_context { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_sid_to_context_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_context_to_sid { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_context_to_sid_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception sidget { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception sidput { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_get_initial_sid { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_init { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_open { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_reset { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_has_perm_noaudit { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_has_perm { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_compute_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_compute_member { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_add_callback { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_netlink_open { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_netlink_acquire_fd { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_netlink_check_nb { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_status_open { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_status_updated { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_status_getenforce { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_status_policyload { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_status_deny_unknown { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception context_type_set { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception context_range_set { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception context_role_set { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception context_user_set { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception get_ordered_context_list { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception get_ordered_context_list_with_level { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception get_default_context { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception get_default_context_with_level { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception get_default_context_with_role { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception get_default_context_with_rolelevel { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception query_user_context { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception manual_user_enter_context { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception get_default_type { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selabel_lookup { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selabel_lookup_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selabel_lookup_best_match { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selabel_lookup_best_match_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selabel_digest { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_restorecon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_restorecon_set_alt_rootpath { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_restorecon_xattr { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} +
The Python bindings for libselinux expose functions such as avc_has_perm(), get_ordered_context_list(), etc. When these functions encounter an error, they set errno accordingly and return a negative value. In order to get the value of errno from Python code, it needs to be "forwarded" in a way. This is achieved by glue code in selinuxswig_python_exception.i, which implement raising an OSError exception from the value of errno. selinuxswig_python_exception.i was only generating glue code from functions declared in selinux.h and not in other headers. Add other headers. selinuxswig_python_exception.i is generated by "bash exception.sh". Mark the fact that exception.sh is a Bash script by adding a shebang. This makes "shellcheck" not warn about the Bash array which is used to list header files. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> --- libselinux/src/exception.sh | 18 +- libselinux/src/selinuxswig_python_exception.i | 396 ++++++++++++++++++ 2 files changed, 412 insertions(+), 2 deletions(-)